Okta Release Notes

Version: 2026.02.0

February 2026

Generally Available

Okta Mobile End of Life

The Okta Mobile app will transition to End of Life (EOL) status on May 31, 2026.
After this deprecation date, Okta Mobile will not receive any further security updates, bug fixes, or support. The app will no longer be available for download through the Apple App Store or the Google Play Store.
Okta previously announced the End of Support for Okta Mobile, effective November 1, 2025.
See Okta Mobile End of Life for available migration solutions.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

• The Generic Database Connector now supports Base64 encoded path parameters.
• Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.
Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26

This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport

Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Original source Report a problem

Version: 2026.02.0

February 2026

Generally Available

Okta Mobile End of Life
The Okta Mobile app will transition to End of Life (EOL) status on May 31, 2026.

After this deprecation date, Okta Mobile will not receive any further security updates, bug fixes, or support. The app will no longer be available for download through the Apple App Store or the Google Play Store.

Okta previously announced the End of Support for Okta Mobile, effective November 1, 2025.

See Okta Mobile End of Life for available migration solutions.

Group push for Zoho Mail
Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features .

Okta Provisioning agent, version 3.0.7
Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

• The Generic Database Connector now supports Base64 encoded path parameters.
• Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications
For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation
Now when you set your display language to French, the Admin Console is also translated. See Supported display languages .

Agents page description
The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status .

Protected action notifications removed
For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console . This update is following a slow rollout process.

LDAP Bidirectional Group Management
Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26
This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport
Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Early Access

On-premises connector for Generic Databases
The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases .

Fixes

• When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)
• Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)
• When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)
• When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)
• The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

Okta Integration Network

• Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more .
• HashiCorp Vault (OIDC) is now available. Learn more .
• Instagram (SWA) was updated.
• Mailchimp (SWA) was updated.
• Solarwinds Customer Portal (SWA) was updated.
• Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Weekly Updates

2026.02.1: Update 1 started deployment on February 17 Fixes

• Group rules sometimes failed when they were executed immediately after a group rule was deleted. (OKTA-880814)
• Group push sometimes failed during deployments. (OKTA-941489)
• When the display language was set to French, the Agents and API > Tokens pages weren't translated. (OKTA-1104991)
• App imports failed with a BeanCreationNotAllowedException error when system deployments interrupted the process. (OKTA-1105164)
• When a user's API status was suspended, but their user status differed, their password was incorrectly able to be expired. (OKTA-1108658)

Okta Integration Network

• Priverion Platform SSO with SCIM 2.0 (SAML) is now available. Learn more .
• Priverion Platform SSO with SCIM 2.0 (SCIM) is now available. Learn more .
• Webrix (OIDC) is now available. Learn more .
• Webrix (SCIM) is now available. Learn more .
• BrandLife (OIDC) is now available. Learn more .
• Brava Security (OIDC) is now available. Learn more .
• Brava Security now supports Express Configuration.
• WideField Security - Detect has a new integration guide.
• Druva Data Security Cloud (API) now has the okta.authorizationServers.manage, okta.devices.read, okta.idps.manage, and okta.roles.manage scopes.
• Vanta (SAML, SCIM) was updated.

2026.02.2: Update 2 started deployment on February 23

Generally Available

Okta On-Prem MFA agent version 1.8.5
This version includes security enhancements.

Fixes

• When the Map primary email to login attribute feature was enabled, Username and Email address were shown as separate fields on the Self-service registration page. (OKTA-1107675)
• When the display language was set to French, the list of network zones on the Networks page wasn't translated. (OKTA-1111126)
• When the display language was set to French, some of the button labels on the Set up Active Directory pages weren't translated. (OKTA-1111128)
• In some orgs, password reset emails didn't allow users to reset their password. (OKTA-1120290)

Okta Integration Network

• Natoma (SCIM) is now available. Learn more .
• Natoma (SAML) is now available. Learn more .
• 6sense legacy (SCIM) is now available. Learn more .
• Four/Four (OIDC) is now available. Learn more .
• Docupilot (SAML) is now available.
• IdentiGuard (API Service) has new scopes. Learn more .
• Zylo now supports the okta.userTypes.read and okta.schemas.read scopes.
• Zylo with Okta Actions (API Service) now supports the okta.userTypes.read and okta.schemas.read scopes.
• Drata (OIDC) has new redirect URIs. Learn more .
• 6sense - Platform has a new app description and is rebranded as 6sense legacy.
• RevSpace (OIDC) has new app icon.
• Hubspot (SWA) was updated.

2026.02.3: Update 3 started deployment on March 2 Fixes

• When creating an AD integration, the Admin Console displayed the incorrect organization URL for the Okta Active Directory agent. (OKTA-1044074)
• When admins edited certain Microsoft Office 365 authentication policy rules, the AND User must authenticate with field incorrectly displayed Any 1 factor type instead of the configured assurance requirement. (OKTA-1055783)
• When admins enabled Force rematch on subsequent imports, unconfirmed users with an exact match weren't automatically matched or confirmed during scheduled imports. (OKTA-1087380)
• When LDAP users were provisioned using a Generalized Time attribute from Okta to LDAP OID or OpenDJ, the time was incorrectly formatted. (OKTA-1096662)
• When an admin selected Create or Update in the provisioning settings of an Office 365 app, and then canceled the changes, the Manage Provisioning Scope section disappeared from the To App tab when they navigated away and back to the page. (OKTA-1105441)
• Orchestrated import jobs sometimes failed when an object lacked an ancestor. This caused the import process to stop unexpectedly while handling group memberships or deleted objects. (OKTA-1115537)

Okta Integration Network

• Brain Payroll (OIDC) is now available. Learn more .
• Neo (API Service) is now available. Learn more .
• Operant MCP Gateway (OIDC) is now available. Learn more .
• Speeda (OIDC) is now available. Learn more .
• Zerocater (OIDC) is now available. Learn more .
• Zerocater (SCIM) is now available. Learn more .
• Zerocater now supports Universal Logout.

Original source Report a problem

Version: 2026.01.0

January 2026

Generally Available

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.
See Manage tasks and Allow requesters to escalate tasks.

OAuth 2.0 scopes automatically assigned to API integrations

Now when you add an API integration to your org, Okta automatically assigns the required OAuth 2.0 scopes to the app.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

• The View Setup Instructions button has been relocated to optimize the visual layout.
• A new display option has been added to visualize parent and child domain relationships.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Early Access

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.
Breached credentials protection is now available for Federal customers.

Fixes

• The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)
• In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)
• Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)
• In some orgs, resource access policy rules didn't take effect immediately after being updated. (OKTA-1071402)
• Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)
• When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)
• JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)
• In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)
• Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)
• In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)
• When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

• Dokio (SCIM) is now available. Learn more.
• Kuranosuke (SAML) is now available. Learn more.
• LINE WORKS (SCIM) is now available. Learn more.
• SciLeads Portal (OIDC) is now available. Learn more.
• SciLeads Portal (SCIM) is now available. Learn more.
• ShareCal (SCIM) is now available. Learn more.
• ShareCal (SAML) was updated with a new logo.
• Humana Military (SWA) was updated.
• Xint (OIDC) added new IDP flow.
• cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.
• Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

• In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)
• When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)
• When an admin updated the agent pool, an error occurred if the agentType was missing. (OKTA-1071106)
• When an admin reactivated a user through an Active Directory import, the System Log didn't record the event. (OKTA-1071233)
• When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)
• For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI.

Okta Integration Network

• Seismic (SCIM) is now available. Learn more.
• OX Security (OIDC) is now available. Learn more.
• Skedda (SCIM) is now available. Learn more.
• Jotform (SCIM) is now available. Learn more.
• Planhat (SCIM) is now available. Learn more.
• Safety AZ (OIDC) is now available.
• Exabeam (SAML) is now available.
• 101domain (OIDC) is now available.
• OX Security (OIDC) now supports Universal Logout.
• Skedda (SAML) has a new description, icon, and configuration guide.
• Obsidian Security (SAML) has a new configuration guide, attribute, and app description.
• Planhat (SAML) has a new integration guide.
• Exaforce (API Service) now has the okta.idps.read scope.
• Seismic (SAML) has a new logo, app description, and configuration guide.
• BridgeBank Business eBanking (SWA) was updated.
• Humana Military (SWA) was updated.
• Jotform (SAML) was updated.
• Scalefusion OneIdP (SCIM) was updated.

2026.01.2: Update 2 started deployment on February 2

Generally Available

Fixes

• When users authenticated using a third-party IdP, the AMR claims for MFA weren't included in the token. (OKTA-1020028)
• When creating a group rule, after entering ten groups, admins needed to enter complete or nearly-complete group names to add more groups to the rule, rather than being able to enter a partial name and select from a list. (OKTA-1067501)
• When admins created a user and chose a realm to assign, the realm wasn't assigned and an error occurred upon save. (OKTA-1091903)
• Admins couldn't revert the default network zone's name back to LegacyIpZone after they'd modified it. (OKTA-1045470)
• Active Directory imports failed with a ProcessMembershipsAndDeletedObjectsJob: null error. (OKTA-1098885)

Okta Integration Network

• SparrowDesk (SAML) is now available. Learn more.
• Eon.io (SAML) is now available. Learn more.
• NoClick (SAML) is now available. Learn more.
• Druva Data Security Cloud (API) is now available. Learn more.
• SimCorp Dimension (SAML) is now available. Learn more.
• Falcon Shield (API Service Integration) has a new scope. Learn more.
• Rubrik Security Cloud (API Service Integration) has a new integration guide. Learn more.
• SimCorp Dimension (SCIM) has a new SCIM configuration guide URL and a new app description.
• AWS IAM Identity Center (SAML) has multiple ACS URLs support.
• ShareCal (SAML) has an updated App Instance Property & Configuration Guide link.
• ClickUp (SAML) has a new configuration guide and app description.
• ClickUp (SAML) was updated.
• CardinalOps (SAML) was updated.
• OrbiPay Payments (SWA) was updated.

Original source Report a problem

November 2025

Generally Available

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the View agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration.

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Network restrictions for OIDC token endpoints is GA in Production

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Changes to the Okta Sign-In Widget UI

The Okta Sign-In Widget (first and second generation) now uses the native Select component for dropdown elements. These UI elements have a new appearance, and the dropdown search functionality is no longer available.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Early Access

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Fixes

• The Authentication of user via MFA System Log event didn't display the IP address and client information. (OKTA-979214)
• AD password resets sometimes failed with an exception. (OKTA-1004233)
• When interacting with the Access Request web app using Safari browser, users couldn't tag another user with @ in the request's chat. (OKTA-1005685)
• Deleted request types sometimes reappeared if the org had the Unified Requester Experience feature enabled. (OKTA-1040545)
• When the LDAP agent installer successfully registered the agent but the installation failed, the agent incorrectly appeared as operational. (OKTA-1045661)

Okta Integration Network

• Harmony now has the okta.users.manage, okta.groups.read, and okta.groups.manage scopes.
• Valos (OIDC) has a new redirect URI. Learn more.
• Chronicle of Higher Education (SWA) was updated.
• 1VALET (SAML) has updated attribute statements.
• Fabrix Smart Actions (API Service) now has the okta.groups.manage scope.
• Boston Properties (SWA) was updated.
• Holistiplan SSO (SAML) is now available. Learn more.
• Mimecast Human Risk Integration (API Service) is now available. Learn more.
• Aglide (SAML) is now available. Learn more.
• Aglide (SCIM) is now available.
• SmarterSign Digital Signage (OIDC) is now available. Learn more.
• SmarterSign Digital Signage (SCIM) is now available. Learn more.

Weekly Updates

2025.11.1: Update 1 started deployment on November 13

Generally Available

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Fixes

• Okta authentication requests for some orgs resulted in high latency and database CPU spikes when a user's email address in the request started with a space. (OKTA-627502)
• Users @mentioned in an access request Slack thread didn't receive a notification unless they were already a follower of the request. (OKTA-1053390)
• The Edit resource set page didn't load if the resource set included a deleted resource. (OKTA-1030613)
• When an AD integration had DirSync enabled, the user's manager and Group owners didn't get updated during an incremental import. (OKTA-1047146)

Okta Integration Network

• Ziflow has a new icon.
• Valence (SAML) was updated.
• Extreme Platform ONE Security API Service (API Service Integration) is now available. Learn more.
• Clever (District Administrator Login) (SWA) was updated.
• DynaMed (SAML) is now available. Learn more.
• Intercom now supports Group Push.

2025.11.2: Update 2 started deployment on December 2

Fixes

• An error was returned if the cursor type for Stored Procedures wasn't REFCURSOR. (OKTA-1048452)

Okta Integration Network

• LegalOn (Japan) (SAML) was updated.
• Lyster (OIDC) is now available. Learn more.
• Canva (SWA) was updated.
• Rubrik Security Cloud (API Service Integration) is now available. Learn more.
• Veraproof SSO (OIDC) is now available.
• Lumen5 (SAML) is now available.
• Cloudflare One (OIDC) is now available.

Original source Report a problem

Version: 2025.09.0

September 2025

Generally Available

Office 365 License and Roles Management now supports sync entitlements
Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Improved user experience for Access Requests
The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is [email protected].

New versions of Okta Provisioning agent and SDK
Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Nonce rollout for Content Security Policy
Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.
These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format
You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection
Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.
This feature is following a slow rollout process.

IWA agent, version 1.18.0
This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.

Assigning/revoking an admin role is a protected action
Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

Admin Console Realm updates
The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog
The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

LDAP Interface OIDC app
LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop
Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when all six platform conditions (iOS, Android, Other mobile, Windows, macOS, and Other desktop) were selected in the app sign-on policy.

Child Domain Authentication for Office 365 WS-Federation
Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps
The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Early Access

Anything-as-a-Source for groups and group memberships
Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can connect custom HR apps or custom databases to source users into Okta's Universal Directory.
This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships into Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

Fixes

• When a user signed in to a custom domain and then clicked Admin in the App Switcher, they were sometimes presented with the wrong sign-in flow. (OKTA-1014174)

Okta Integration Network

• AmexGBT Egencia has a new app name, icon, and SAML Integration guide. Learn more.
• ZAMP (OIDC) has two new redirect URIs. Learn more.
• Harmony (API Service Integration) is now available. Learn more.
• Shift Security (API Service Integration) is now available. Learn more.
• Teem Finance (OIDC) is now available. Learn more.
• Island (Universal Logout) is now available. Learn more.
• CloudEagle (API Service Integration) was updated.
• Bruin was updated.
• EventNeat (OIDC) is now available. Learn more.
• AdvancedMD was updated.
• Nuclei (OIDC) is now available. Learn more.
• FloQast (SCIM) is now available.
• Astrix Security Monitoring (API Service Integration) is now available.
• Scrut Automation (OIDC) has a new Redirect URI.
• Canva (SWA) was updated.
• eSignon (SAML) is now available. Learn more.
• eSignon (SCIM) is now available.
• AmexGBT Egencia (SCIM) is now available.

Original source Report a problem

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning agent and SDK version history.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console. See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates.

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Original source Report a problem