Okta Identity Engine API release notes (2025)

March

Weekly release 2025.03.3

Change	Expected in Preview Orgs
Bugs fixed in 2025.03.3	March 26, 2025

Bugs fixed in 2025.03.3

Custom role admins with permission conditions couldn't search for users by firstName or lastName. (OKTA-894392)
The user.identity_verification System Log event displayed an incorrect assurance level for completed identity verifications with DENY results. (OKTA-893343)
Some PUT requests to the brands/{brandId}/templates/email/{templateName}/settings endpoint received HTTP 500 Internal Server Error messages. (OKTA-886167)
GET requests to the /api/v1/users/me/appLinks endpoint sometimes returned an HTTP 500 Internal Server error. (OKTA-873694)

Weekly release 2025.03.2

Change	Expected in Preview Orgs
Bug fixed in 2025.03.2	March 19, 2025

Bug fixed in 2025.03.2

The OIN Submission Tester didn't support custom domains in the IdP flow. (OKTA-835402)

Weekly release 2025.03.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.03.1	March 12, 2025

Bugs fixed in 2025.03.1

createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)
Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter parameter. (OKTA-801592)
The JSON Web Token that Okta generates and sends to the OpenID Connect identity provider contained a string exp instead of a number 'exp'. (OKTA-852446)
When making POST requests to users/{userId}/factors/{factorId}/verify or authn/factors/{factorId}/verify endpoints with factorType instead of factorId in the URL path, multiple failed verification attempts didn't lock users out and the failed attempts weren't logged in the System Log. (OKTA-871469)
When Okta sent a request with a refresh token to the token inline hook, the session user was sometimes sent rather than the refresh token user in request.data.context. (OKTA-869758)

Monthly release 2025.03.0

Change	Expected in Preview Orgs
Global token revocation for wizard SAML and OIDC apps is GA in Production	September 11, 2024
OIDC IdPs now support group sync is GA in Production	October 23, 2024
Granular account linking for certain Identity Providers is GA in Production	December 11, 2024
Realms for Workforce is GA in Production	February 13, 2025
Improved group search functionality is GA in Production	February 12, 2025
Improved user search functionality is GA in Production	February 12, 2025
Improved realms and device search functionality is GA in Production	February 12, 2025
New End-user Enrollments API is GA in Preview	March 5, 2025
CLEAR Verified as a third-party identity verification provider is EA in Preview	March 5, 2025
Verify an SSF Stream is EA in Preview	March 5, 2025
MyAccount Password API updates	March 5, 2025
Identity Security Posture Management functionality in the OIN catalog	March 5, 2025
Default global session policy rule update	March 5, 2025
Developer documentation updates in 2025.03.0	March 5, 2025
Bugs fixed in 2025.03.0	March 5, 2025

Global token revocation for wizard SAML and OIDC apps is GA in Production

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

OIDC IdPs now support group sync is GA in Production

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Granular account linking for certain Identity Providers is GA in Production

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenId Connect and SAML 2.0.

Realms for Workforce is GA in Production

The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).

Improved group search functionality is GA in Production

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co operator within the search parameter of the Groups API. See Operators (opens new window) and search within the Groups API (opens new window).

Improved user search functionality is GA in Production

You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to do user lookups and add users to groups. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

Improved realms and device search functionality is GA in Production

We've extended the contains (co) operator to realms and devices. You can now search for realms and devices whose profile attributes contain specified text through API. This makes lookups easier without needing to recall the exact names of various profile attributes. Use the co operator within the search parameter. See Contains operator (opens new window) and the search parameter in the Realms (opens new window) and Devices (opens new window) APIs.

New End-user Enrollments API is GA in Preview

The new End-user Enrollments API (opens new window) enables end users to enroll and unenroll authenticators by entering a URL directly into their browser. This reduces the time spent administering complex authenticator enrollment flows, and provides a streamlined enrollment process for users. After a user enrolls or unenrolls an authenticator, you can use the redirect_uri property to redirect them to another page.

CLEAR Verified as a third-party identity verification provider is EA in Preview

Okta now supports using CLEAR Verified as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_CLEAR as the IdP type when you create an IdP (opens new window).

Verify an SSF Stream is EA in Preview

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. In addition, the SSF Transmitter verification events claim structure is now compliant with the OpenID Shared Signals Framework ID3 spec.

MyAccount Password API updates

Admins can now send a PUT request to the /idp/myaccount/password endpoint to update the password for a user. Also, admins can send a GET request to the /idp/myaccount/password/complexity-requirements endpoint to retrieve password complexity requirements. See Replace a Password (opens new window) and Retrieve the Password Complexity Requirements (opens new window).

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

Default global session policy rule update

The default value for the maxSessionLifetimeMinutes property of the default global session policy rule is now 1440 (24 hours) and can be changed. Previously the maxSessionLifetimeMinutes property of the default global session policy rule was read-only. See the Policies API (opens new window).

Developer documentation updates in 2025.03.0

The list of public permissions has moved from the Roles in Okta (opens new window) topic to the Permissions in Okta (opens new window) topic. The new topic contains more permission details for you to define your custom admin roles.
A new section has been added to the API documentation: Sign-in Experience API (opens new window). It contains the new End-user Enrollments API that enables end users to enroll and unenroll authenticators by entering a URL directly into their browser.

Bugs fixed in 2025.03.0

Some certificates with trailing characters were uploaded successfully to the /domains/{domainId}/certificate endpoint, despite their invalid format. (OKTA-486406)
An incorrect response was returned when a /token request was sent with an inactive user in a direct authentication flow. (OKTA-853984)

February

Weekly release 2025.02.2

Change	Expected in Preview Orgs
Incode as a third-party identity verification provider is EA in Preview	February 20, 2025
Bugs fixed in 2025.02.2	February 20, 2025

Incode as a third-party identity verification provider is EA in Preview

Okta now supports using Incode as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_INCODE as the IdP type when you create an IdP (opens new window).

Bugs fixed in 2025.02.2

An API request to create a resource set with a duplicate name sometimes returned a 5xx error instead of a 4xx error response. (OKTA-867792)
Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)
The contains (co) operator sometimes gave unclear error messages when using less than three characters or with other operators. (OKTA-846206)
When an admin attempted to revoke an API token (DELETE /api/v1/api-tokens/{apiTokenId}), and the credential used to authenticate the request was an access_token for a Service client, an HTTP 403 error was returned. (OKTA-844384)

Weekly release 2025.02.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.02.1	February 13, 2025

Bugs fixed in 2025.02.1

When a GET request was made using the User Grants API (/api/v1/users/{userId}/grants), the response didn't include pagination links in the response header. (OKTA-826775)
The Users API returned inconsistent responses in Classic Engine orgs that allowed self-service registration and in Identity Engine orgs that were migrated from these orgs. (OKTA-833094)
In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
The On-Behalf of Token Exchange flow was returning the wrong error message when an invalid subject_token_type was requested. (OKTA-841223)
When a POST request was made (/api/v1/authorizationServers/{authServerId}/policies) to create an authorization policy, the created and lastUpdated properties had a null value. (OKTA-848623)
The /user/verify_idx_credentials endpoint didn't accept arbitrary fromUri values. (OKTA-853353)
AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
Some identity provider API POST (/api/v1/idps) and PUT (/api/v1/idps/{idpId}) requests returned an HTTP 500 error code if the request didn't have the policy.accountLink object in the request body. (OKTA-865143)

Monthly release 2025.02.0

Change	Expected in Preview Orgs
IP Exempt Zone is GA in Preview	October 23, 2024
Global token revocation for wizard SAML and OIDC apps is GA in Preview	September 11, 2024
OIDC IdPs now support group sync is GA in Preview	October 23, 2024
Granular account linking for certain identity providers is GA	December 11, 2024
Realms for Workforce is GA in Preview	February 13, 2025
Improved group search functionality is GA in Preview	February 12, 2025
Improved user search functionality is GA in Preview	February 12, 2025
Support for importing Active Directory group descriptions is GA in Production	February 6, 2025
Developer documentation updates in 2025.02.0	February 6, 2025
Bugs fixed in 2025.02.0	February 6, 2025

IP Exempt Zone is GA in Preview

This feature introduces useAsExemptList as a read-only Boolean property that distinguishes the new default IP exempt zones from other zones. When you enable this feature and you make a GET api/v1/zones request, Okta returns useAsExemptList in the response. The value true indicates that the zone is an exempt zone. Only system generated exempt zones are available.

Global token revocation for wizard SAML and OIDC apps is GA in Preview

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

OIDC IdPs now support group sync is GA in Preview

OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Granular account linking for certain identity providers is GA

Realms for Workforce is GA in Preview

Improved group search functionality is GA in Preview

Improved user search functionality is GA in Preview

You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to add users to groups or apps. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

Support for importing Active Directory group descriptions is GA in Production

The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

Developer documentation updates in 2025.02.0

The Style the Sign-In Widget (third generation) guide, under Brand and Customize, now describes how to use the afterTransform function. The function allows you to apply DOM customizations to the third generation of the widget. For example, you can use afterTransform to change button text or to add an instructional paragraph.
The new Configure a device assurance policy guide, under Sign users in, describes how to manage device assurance policies in your org. The guide uses the Device Assurance Policies API to create and edit a policy, and add device assurance to an authentication policy. It also shows how to use the System Log API to check for device assurance events.
The OIN Manager: submit an integration guide has been updated to include API service submission instructions.

Bugs fixed in 2025.02.0

When calling deleted app users through the Apps API, the API returned a 500 internal server error instead of a 404 error. (OKTA-832609)
PUT requests (/api/v1/apps/appId) to update an OpenID Connect app took 30 seconds to complete. (OKTA-852488)
When the List all devices API (opens new window) was used with a search query parameter, it sometimes returned outdated records for screenLockType and managementStatus. (OKTA-856387)

January

Weekly release 2025.01.2

Change	Expected in Preview Orgs
Authentication claims sharing between Okta orgs is EA in Preview	January 29, 2025
Bugs fixed in 2025.01.2	January 29, 2025

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.

Bugs fixed in 2025.01.2

When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (/api/v1/zones/{DefaultExemptIpZone ID}). (OKTA-817263)
The List all principal rate limits (opens new window) returned an empty response when querying with a custom client_id and using OAuth 2.0 for authentication. (OKTA-832687)
When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)
Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)
Refresh tokens for OpenID Connect apps that have Single Logout enabled with user session details were getting invalidated before their max lifetime. (OKTA-730794)
Account unlock didn't work for some orgs using the Okta account management policy. (OKTA-848066)

Weekly release 2025.01.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.01.1	January 15, 2025

Bugs fixed in 2025.01.1

When an admin attempted to delete an IdP using the SDK, the operation failed with an HTTP 500 response code. (OKTA-846005)
POST requests with an OAuth token to the /devices/{deviceId}/lifecycle/deactivate endpoint by an API service app using the Client Credentials flow returned 403 error responses. The deactivations succeeded in spite of the error response. (OKTA-838539)

Monthly release 2025.01.0

Change	Expected in Preview Orgs
Additional use case selection in the OIN Wizard	January 8, 2025
Configure Identity Verification with third-party Identity Verification providers is GA Production	October 2, 2024
Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access	January 8, 2025
Granular configuration for Keep Me Signed In is EA in Preview	January 8, 2025
Multiple Identifiers is GA in Preview	November 7, 2024
New group.source.id key for group functions in Expression Language	January 2, 2025
POST requests to the authorize endpoint is self-service EA	January 8, 2025
Bug fixed in 2025.01.0	January 8, 2025

Additional use case selection in the OIN Wizard

Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

Automation
Centralized Logging
Directory and HR Sync
Multifactor Authentication (MFA)

See OIN Wizard use case selection.

Configure Identity Verification with third-party Identity Verification providers is GA Production

You can now configure third-party Identity Verification providers using the IdP API and Okta account management policy rules. Okta supports Persona as a third-party Identity Verification provider.

Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. To configure an Identity Verification provider in the Admin Console, see Add an Identity Verification vendor as Identity Provider (opens new window).

Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access

The following API endpoints have been deprecated:

Extend Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/extend)
Grant Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/grant)
Revoke Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/revoke)

Use the Update an Okta Support case (opens new window) endpoint to extend, grant, or revoke Okta Support access for a specific support case. For the corresponding Okta Admin Console feature, see Give access to Okta Support (opens new window).

Granular configuration for Keep Me Signed In is EA in Preview

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Configure Keep me signed in (KMSI).

The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.

Multiple Identifiers is GA in Preview

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-in, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Configure multiple identifiers.

New group.source.id key for group functions in Expression Language

You can now use the group.source.id key in Expression Language group functions to filter between groups that have the same name. See Group functions.

POST requests to the authorize endpoint is Self-Service EA

You can now send user data securely in a POST request body to the /authorize endpoint.

Developer documentation updates in 2025.01.0

The Sign users in to your SPA using redirect guides for the Angular and React platforms are now revised to use updated versions of Okta SDKs, framework dependencies, and coding patterns.

Bug fixed in 2025.01.0

Requests to the /policies/{policyId}/rules and /policies/{policyId}/rules/{ruleId} endpoints to create or update Okta account management policy rules included default Keep me signed in (KMSI) settings in the responses. (OKTA-848236)

Edit This Page On GitHub

On this page