On this page
Okta Identity Engine API release notes (2025)
August
Weekly release 2025.08.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.08.2 | August 20, 2025 |
Bugs fixed in 2025.08.2
Some custom admin roles had different permissions for authentication policies (
ACCESS_POLICY
) and device signal collection policies (DEVICE_SIGNAL_COLLECTION
) and couldn't access or manage device signal collection policies and rules. (OKTA-982043)Some app groups that were deleted were still visible in searches. This fix will be slowly made available to all orgs. (OKTA-972614)
When an app was deleted, group push rules weren't deleted and would sometimes trigger erroneous System Log entries. This fix will be slowly made available to all orgs. (OKTA-881642)
Monthly release 2025.08.0
Associated Domain Customizations API is self-service EA in Preview
You can now use the Associated Domain Customizations API (opens new window) to view and update the associated domains of your custom domain. Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator.
See Customize associated domains.
Automate SCIM Integration for OIN Apps with Express Configuration
Express Configuration is a feature designed to automate the setup of SSO and SCIM for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OIDC and SCIM integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Express Configuration.
Breached Credentials Protection is GA in Preview
Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See the Okta Policies API (opens new window).
Clear user factors for all devices is GA in Preview
When you make a Revoke all user sessions (/api/v1/users/{userId}/sessions) request, include the new forgetDevices
parameter (opens new window) to clear a user's remembered factors on all devices. The user is prompted for full authentication on their next sign-in attempt from any device. The forgetDevices
parameter is set to true
by default.
Cross App Access is self-service EA in Preview
Admins can now manage third-party app data sharing with the new Cross App Access feature in the Okta Admin Console. This feature moves complex consent processes away from end-users, enhancing security and streamlining the experience. Once configured, end users can access their data from other SaaS apps without navigating OAuth consent flows. See the Applications Cross Apps Connections API (opens new window) and Configure Cross App Access (opens new window).
Custom FIDO2 AAGUID is self-service EA in Preview
You can now use the Authenticators API (opens new window) to create, view, and update custom Authenticator Attestation Global Unique Identifiers (AAGUIDs).
Admins can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives admins greater flexibility and control over the security in their environment.
Device signal collection policy is self-service EA in Preview
With the new device signal collection policy, admins can override Okta default behavior and specify how Okta must collect device data, which is then used to evaluate authentication policies.
See Configure a device signal collection policy.
Encryption of ID tokens and access tokens is EA
You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. You can also now encrypt access tokens minted by a custom authorization server. See Key management.
Expanded use of user.getGroups() function in Okta Expression Language is GA in Production
You can now use the user.getGroups()
function across all features that support Expression Language. See Group functions.
Granular configuration for Keep Me Signed In is GA in Production
Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Configure Keep me signed in (KMSI).
The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.
Group Push Mappings is GA in Preview
With the API for Group Push, admins can now programmatically create, link, or manage group push configuration in Okta. This allows admins to configure Okta groups to be pushed to connected apps at scale and reduces overhead for large deployments. See Group Push Mappings API (opens new window).
MyAccount Password API is GA in Production
You can now use the MyAccount Password API (opens new window) to update passwords.
MyAccount WebAuthn API is EA in Production and GA in Preview
You can now use the MyAccount WebAuthn API (opens new window) to enroll, list, and delete WebAuthn enrollments. Admins can build out an in-app passkey creation and enrollment experience with the MyAccount WebAuthn API operations.
Multiple active IdP signing certificates is EA
Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Use the new additionalKids
parameter (opens new window) to add another signing certificate for the IdP. You can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates.
New User Authenticator Enrollments API is GA in Preview
The User Authenticator Enrollments API (opens new window) enables admins to manage the specific authenticator enrollments of their users.
Currently, admins in Identity Engine orgs can’t use Okta APIs to manage user authenticator enrollments with the same level of control that’s possible in Classic Engine orgs. This feature helps admins more effectively manage their user’s enrollments and improves parity between Classic Engine and Identity Engine orgs.
New user profile permission
A new user profile permission (okta.users.userprofile.read
) is now available that allows granular read-only access to the user profile. See Permissions (opens new window).
OAuth 2.0 provisioning for Org2Org with Autorotation is GA in Production
Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.
To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support token autorotation, rotationMode=AUTO
. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).
Passkeys from Android devices is self-service EA in Preview
Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use.
You can enable Android passkeys by customizing the assetlinks.json
file. See Customize associated domains and Add support for Digital Asset Links (opens new window).
Send app context to external IdPs is GA in Preview
You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you set the sendApplicationContext
parameter (opens new window) to true
for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.
Service Accounts API is EA
The new Service Accounts API (opens new window) is now available for Okta Privileged Access-enabled orgs. This API allows you to manage SaaS or On-Prem Provisioning (OPP) app accounts. App accounts that you create through the Service Accounts API are visible to resource admins in the Okta Privileged Access dashboard. See Manage service accounts (opens new window) in the Okta Privileged Access product documentation.
This feature is available only if you're subscribed to Okta Privileged Access. Ensure that you've set up the Okta Privileged Access app before creating app accounts through the API.
System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance is EA in Preview
The app.oauth2.token.grant.id_jag
event is generated when an app completes an OAuth 2.0 token exchange to get an Identity Assertion Authorization Grant (ID-JAG) JWT.
System Log updates for ID verification events
There are several updates for events related to identity verification:
A new event related to ID verification (
user.identity_verification.start
) can be viewed in the System Log.New reasons for the DENY result of the
user.identity_verification
event have been added.Admins can use two new properties (IdvReferenceId and IdvFlowId) to track events related to IDV processes.
See Event Types and Identity verification events.
Temporary Access Code authenticator is self-service EA in Preview
The new Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators.
To configure the authenticator with Okta APIs, see Temporary access code authenticator integration guide, and to configure it in the Admin Console, see Configure the temporary access code authenticator (opens new window).
Unified claims generation for custom apps is self-service EA in preview
Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements
(required OIG), device.profile
, session.id
, and session.amr
. Collection projections in Expression Language can also be used to get claims information. See Okta Expression Language in Identity Engine.
Universal Logout in the OIN Wizard
Universal Logout (UL) in the Okta Integration Network Wizard allows you to build, test, and submit UL functionality to the Okta Integration Network (OIN). Universal Logout lets you terminate users' sessions and revoke their tokens for supported OIN apps, as well as for generic OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) apps. See Submit an integration with the OIN Wizard (opens new window).
Web app integrations now mandate the use of the Authorization Code flow
To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration (opens new window).
Developer documentation updates in 2025.08.0
The Archived Okta Identity Governance API changelog (2023-2024) has been removed. For updates on these APIs, see the Okta Identity Governance API release notes.
Journeys is a new and evolving section that includes content to help guide you through your development project.
Journeys break down your development project into consumable steps:
- Key concepts to absorb
- Information on planning for tasks that you need to complete
- Links to individual guides to help you build your project
- Additional content to hep you enhance your project.
The first journey available is Secure your first web app. This journey helps you connect your web app to Okta and configure a secure sign-in experience.
The new Create an app integration guide explains what an app integration is, why you need one, and how to create one.
The new Direct authentication concept explains what direct authentication is and how you can use it.
The new Set up your org guide outlines how to set up your Okta org with some basic, but important, settings and how to configure it for different use cases.
The Sign in to your native mobile app guide describes how to add authentication to your mobile app using the Okta Client SDK for Swift. This example implements a sample iOS app, using Okta APIs and interaction code flow, for browserless authentication.
The new Sign-In Widget concept provides a high-level overview of the Okta Sign-In Widget.
The new Understand the token lifecycle concept provides an overview of OAuth 2.0 tokens, their use, and their lifecycles.
Bug fixed in 2025.08.0
Some app types were incorrectly assigned to authentication policies. (OKTA-956009)
July
Weekly release 2025.07.3
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.07.3 | July 30, 2025 |
Bugs fixed in 2025.07.3
- The List all user grants operation (
/api/v1/users/me/grants
) didn't include pagination links in the header of the response. (OKTA-918661) - The Attack Protection API endpoints returned HTTP 404 Not Found errors unless
-admin
was appended to your org subdomain in the URL path. You can now use your standard org subdomain in the URL path when using the Attack Protection API. (OKTA-925650) - Users with case-insensitive usernames didn't match to existing strict case-sensitive users. (OKTA-969228)
Weekly release 2025.07.2
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.07.2 | July 16, 2025 |
Bugs fixed in 2025.07.2
- When the Direct Authentication feature was enabled, calling the Apps API with a custom role couldn’t create OIDC apps. (OKTA-970705)
- When an admin enabled the Temporary Access Code feature, subsequent
GET /users/{userId}/factors
requests returned HTTP 400 Bad Request errors. (OKTA-979585) - This update includes security enhancements. (OKTA-909930)
Weekly release 2025.07.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.07.1 | July 9, 2025 |
Bugs fixed in 2025.07.1
- The multiple identifiers feature didn't process case sensitivity correctly when evaluating identifier attributes. (OKTA-899235)
- When GET
/api/v1/apps/{appId}
is called, admins with theokta.groups.appAssignment.manage
permission orokta.users.appAssignment.manage
permission could view app details without having the requiredokta.apps.manage
orokta.apps.read
permissions. (OKTA-801567)
Monthly release 2025.07.0
Change | Expected in Preview Orgs |
---|---|
OAuth 2.0 provisioning for Org2Org with key auto-rotation is GA in Preview | July 2, 2025 |
MyAccount Password API is GA in Preview | May 24, 2023 |
New Okta Expression Language component is self-service EA in Preview | July 2, 2025 |
System Log event for monitoring LDAP Agent config file changes is EA | July 2, 2025 |
Integrate Okta with Device Posture Provider | July 2, 2025 |
New validation rule for user profile attributes in OIN Wizard | July 2, 2025 |
Stricter URL validation in the OIN Wizard | July 2, 2025 |
Conditions for create user permission is GA in Production | June 9, 2025 |
CLEAR Verified and Incode as third-party identity verification providers is GA in Production | July 2, 2025 |
Changes to Okta app API responses | July 7, 2025 |
Restrict access to the Admin Console is GA in Production | December 11, 2024 |
Developer documentation updates in 2025.07.0 | July 2, 2025 |
OAuth 2.0 provisioning for Org2Org with key auto-rotation is GA in Preview
Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.
To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support key auto-rotation, rotationMode=AUTO
. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).
MyAccount Password API is GA in Preview
You can now use the MyAccount Password API (opens new window) to update passwords.
New Okta Expression Language component is self-service EA in Preview
You can now use the metadata
component in an Expression Language condition for an Okta account management policy. You can only use metadata
in an expression that’s related to password expiry. See Enable password expiry (opens new window).
System Log event for monitoring LDAP Agent config file changes is EA
A system.agent.ldap.config_change_detected
event is generated when an LDAP agent detects changes to its configuration file.
Integrate Okta with Device Posture Provider
The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables orgs to use their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See the Device Integrations API (opens new window) and Integrate Okta with Device Posture Provider (opens new window).
New validation rule for user profile attributes in OIN Wizard
The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See SAML properties (opens new window).
Stricter URL validation in the OIN Wizard
The OIN Wizard now requires all static URLs to begin with "https://" and be complete. For URL expressions, you can use any valid format. See Submit an integration with the OIN Wizard (opens new window).
Conditions for create user permission is GA in Production
You can now add conditions to the okta.user.create
permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permissions conditions (opens new window).
CLEAR Verified and Incode as third-party identity verification providers is GA in Production
Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_INCODE
or IDV_CLEAR
as the IdP type
when you create an IdP (opens new window).
Changes to Okta app API responses
The following Okta apps won't be returned in the API response for endpoints that list apps (such as the List all applications (opens new window) GET /api/vi/apps
endpoint):
- Okta Access Certifications (key name:
okta_iga
) - Okta Access Requests Admin (key name:
okta_access_requests_admin
) - Okta Entitlement Management (key name:
okta_entitlement_management
)
In addition, a single app retrieval endpoint won't return these apps either. For example: GET /api/v1/apps/{appId}
won't return the app object if {appId}
is the ID for the okta_iga
, okta_access_requests_admin
, or okta_entitlement_management
apps in your org.
Restrict access to the Admin Console is GA in Production
By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings (opens new window) and the corresponding APIs: Retrieve the Okta Admin Console Assignment Setting (opens new window) and Update the Okta Admin Console Assignment Setting (opens new window).
Developer documentation updates in 2025.07.0
The Okta Admin Management (opens new window) APIs have been reorganized into functional service groups for improved navigation and user experience. All previous anchors and links to the APIs remain the same.
A new guide is available that explains how to register security events providers in Okta, which enables continuous sharing of security information with Okta to prevent security threats.
The Agent Pools API has been renamed Directory Agent Pools (opens new window) API and is now grouped under External Identity Sources. There are no other changes to the API. All previous anchors and links to the API remain the same.
The Password import inline hook guide was revised to demonstrate the hook call using the ngrok utility (opens new window), rather than the sample code hosted on Glitch.com (opens new window). The hosted sample app on Glitch is scheduled for deprecation on July 8th, 2025.
June
Weekly release 2025.06.2
Change | Expected in Preview Orgs |
---|---|
Network zone restrictions for clients is self-service EA in Preview | Jun 25, 2025 |
Org2Org OIDC Sign-on mode is self-service EA in Preview | Jun 17, 2025 |
Okta Integration IdP type is self-service EA in Preview | Jun 25, 2025 |
Bugs fixed in 2025.06.2 | Jun 25, 2025 |
Network zone restrictions for clients is self-service EA in Preview
You can now specify an allowlist or denylist network zone for each client to enhance token endpoint security.
Org2Org OIDC Sign-on mode is self-service EA in Preview
The Org2Org app now includes an OIDC Sign-on mode using the Okta Integration IdP. This sign-on mode reduces the complexity of configuration between the Org2Org app and the target org, and takes advantage of modern security features of OIDC. You also need to enable the Okta Integration IdP feature to use the OIDC Sign-on mode. See Secure API connections between orgs with OAuth 2.0.
Okta Integration IdP type is self-service EA in Preview
The new Okta Integration IdP type allows you to configure Org2Org OIDC IdPs with secure defaults. See Identity Providers (opens new window) and Add an Okta Identity Provider (opens new window).
Bugs fixed in 2025.06.2
When an app with imported app groups was deactivated, and users were subsequently removed from these groups, the event wasn't recorded in the System Log. (OKTA-934264)
The delete operation for the Roles API (
/iam/roles/{roleIdOrLabel}
) and the Resource Sets API (/iam/resource-sets/{iamPolicyIdOrLabel}
) allowed users to delete IAM-based standard roles and resource sets, respectively. (OKTA-926830)Using a private/public key for client authentication with an empty
kid
in the assertion threw a null pointer exception if there was an invaliduse
parameter in the key. (OKTA-963932)
Weekly release 2025.06.1
Change | Expected in Preview Orgs |
---|---|
Frame-ancestors rollout for Content Security Policy | Jun 17, 2025 |
Response body updates for the MyAccount Authenticators API | Jun 17, 2025 |
Bugs fixed in 2025.06.1 | Jun 17, 2025 |
Frame-ancestors rollout for Content Security Policy
Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint
and /api/v1/internal/device/nonce
endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See the Trusted Origins API (opens new window).
In addition, Okta is rolling out the use of nonce
with the script-src directive of the CSP for the /auth/services/devicefingerprint
. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce
addition to script-src.
Response body updates for the MyAccount Authenticators API
A new response property, canChange
, is now returned for password
enrollments when you make GET calls to the /idp/myaccount/authenticators/{authenticatorId}/enrollments/
endpoint. This property indicates if the value of a password
enrollment can be changed. With the addition of the canChange
property, canReset
, an existing response property, now indicates whether or not the user can reset the value of their password
enrollment.
See the MyAccount Authenticators API (opens new window).
Bugs fixed in 2025.06.1
When calling the Replace the resource set resource conditions endpoint,
/api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}
, including an empty body didn't remove conditions. (OKTA-947764)Customization fields in email templates were populated with unencoded information. (OKTA-922766)
The Directories Integration API for AD Bidirectional Group Management returned a 500 error because of a null pointer exception. (OKTA-948743)
User grants weren't returned from the Users API (
/users/<userId>clients/<clientId>/grants
) after revoking user sessions and OAuth 2.0 tokens. (OKTA-944549)Users could sometimes receive too many password reset emails. (OKTA-916357)
App logos could be added or updated using any SVG format. See Application Logos (opens new window). (OKTA-876028)
Monthly release 2025.06.0
Change | Expected in Preview Orgs |
---|---|
Admins prevented from deleting published app instances | June 4, 2025 |
Authentication claims sharing between Okta orgs is GA in Production | June 4, 2025 |
Claims sharing between third-party IdPs and Okta is GA in Production | April 9, 2025 |
Conditions for create user permission | June 9, 2025 |
Define default values for custom user attributes is GA in Production | May 7, 2025 |
Domain restrictions on Realms is GA in Production | April 23, 2025 |
New password complexity property is self-service EA in Preview | June 4, 2025 |
Number matching challenge with the Factors API is GA in Production | April 9, 2025 |
Restrict access to the Admin Console is GA in Preview | December 11, 2024 |
Shared signal transmitters is GA in Production | May 7, 2025 |
Single Logout for IdPs is EA in Preview | June 4, 2025 |
Expanded use of user.getGroups() function in Okta Expression Language is GA in Preview | June 4, 2025 |
Developer documentation updates in 2025.06.0 | June 4, 2025 |
Bugs fixed in 2025.06.0 | June 4, 2025 |
Admins prevented from deleting published app instances
When an app instance has the Published version status in OIN Wizard, admins can no longer delete it from the Integrator Free Plan org.
Authentication claims sharing between Okta orgs is GA in Production
Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Claims sharing between third-party IdPs and Okta is GA in Production
Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from a third-party IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Conditions for create user permission
You can now add conditions to the okta.user.create
permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permissions conditions (opens new window).
Define default values for custom user attributes is GA in Production
You can now define default values for custom attributes in a user profile. See the Update User Profile (opens new window) endpoint in the Schemas API.
Domain restrictions on Realms is GA in Production
You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See the Realms (opens new window) and Realm Assignments (opens new window) APIs.
New password complexity property is self-service EA in Preview
You can now use the oelStatement
property to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements. See the Policy API (opens new window).
Number matching challenge with the Factors API is GA in Production
You can now send number matching challenges for Okta Verify push
factor enrollments when you send POST requests to the /users/{userId}/factors/{factorId}/verify
endpoint. For orgs that can't adopt Okta FastPass, this feature improves their overall security. See the Factors API (opens new window).
Restrict access to the Admin Console is GA in Preview
By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings (opens new window) and the corresponding APIs: Retrieve the Okta Admin Console Assignment Setting (opens new window) and Update the Okta Admin Console Assignment Setting (opens new window).
Shared signal transmitters is GA in Production
Okta uses CAEP (opens new window) to send security-related events and other data-subject signals to third-party security vendors. To enable the transmission of signals from Okta, create an SSF stream (opens new window) using the SSF Transmitter API. Then, configure the third-party receiver to accept signals sent as Security Event Tokens (SETs) (opens new window) from Okta. See the SSF Transmitter API (opens new window) and SSF Transmitter SET payload structures (opens new window).
Single Logout for IdPs is EA in Preview
The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Configure Single Logout for IdPs.
Expanded use of user.getGroups() function in Okta Expression Language is GA in Preview
You can now use the user.getGroups()
function across all features that support Expression Language. See Group functions.
Developer documentation updates in 2025.06.0
The Email Customization API has been relabelled as the Org Email Settings API (opens new window). There are no other changes to the API. All previous anchors and links to the API remain the same.
A new guide explains how to migrate customizations from the second generation (Gen2) to the third generation (Gen3) of the Sign-In Widget. It describes how to use design tokens instead of CSS className selectors to customize Gen3, and which variables and functions help with your migration.
New release notes for Okta Privileged Access APIs are now available.
Bugs fixed in 2025.06.0
The
/idp/myaccount/sessions
endpoint didn't accept access tokens granted by custom authorization servers. (OKTA-929488)An HTTP 500 error occurred when API requests were sent to
api/v1/policies/{policyId}
andapi/v1/policies/{policyId}/rules/{ruleID}
with certain values in the Accept header. (OKTA-892315)MyAccount Authenticators API GET requests (
/idp/myaccount/authenticators/
and/idp/myaccount/authenticators/{authenticatorId}
) didn't return custom logo details. (OKTA-880048)
May
Weekly release 2025.05.3
Change | Expected in Preview Orgs |
---|---|
Integrator Free Plan org now available | May 22, 2025 |
Bugs fixed in 2025.05.3 | May 29, 2025 |
Integrator Free Plan org now available
The Integrator Free Plan org is now available on the Sign up page of the developer documentation site. These orgs replace the previous Developer Editions Service orgs, which will start being deactivated on July 18th. See Changes Are Coming to the Okta Developer Edition Organizations (opens new window). For information on the configurations for the Integrator Free Plan orgs, see Okta Integrator Free Plan org configurations.
Bugs fixed in 2025.05.3
When third-party claims sharing was enabled, users couldn't sign in using their IdP because of an authentication loop. (OKTA-939862)
When enrolling an
sms
factor (POST /users/{userId}/factors
), an Invalid Phone Number error was sometimes incorrectly returned. (OKTA-923373)Users with
+
in their email address couldn't reset their passwords from email templates. Use the${encode(String html)}
expression to encode special characters. (OKTA-914601)Sending a phone challenge with the MyAccount Phone API (
POST /idp/myaccount/phones/{id}/challenge
) sometimes returned an HTTP 500 Internal Server error. (OKTA-946865)
Weekly release 2025.05.2
Change | Expected in Preview Orgs |
---|---|
Enrollment grace periods is EA in Preview | May 21, 2025 |
Send app context to external IdPs is EA in Preview | May 21, 2025 |
Enrollment grace periods is EA in Preview
Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.
With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies and the Policies API (opens new window).
Send app context to external IdPs is EA in Preview
You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments. To enable this feature, go to Settings > Features in the Admin Console, locate Send Application Context to an External IdP, and enable.
Weekly release 2025.05.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.05.1 | May 14, 2025 |
Bugs fixed in 2025.05.1
After enrolling a
call
factor (POST /users/{userId}/factors
), theresend.href
link in the response body returned an HTTP 404 Not Found error when it was used. (OKTA-926672)In some situations, the
/api/v1/agentPools
API failed to return agents that were stuck in an error state. (OKTA-910056)
Monthly release 2025.05.0
Change | Expected in Preview Orgs |
---|---|
Breached Credentials Protection is EA in Preview | May 15, 2025 |
Custom admin roles for ITP | May 7, 2025 |
New User Role Targets API endpoint | May 7, 2025 |
Define default values for custom user attributes | May 7, 2025 |
Directories integration API is GA in Preview and Production | May 7, 2025 |
Number matching challenge with the Factors API is GA in Preview | May 7, 2025 |
Claims sharing between third-party IdPs and Okta is GA in Preview | May 7, 2025 |
Express Configuration for OIN apps | May 7, 2025 |
New End-user Enrollments API is GA in Production | March 5, 2025 |
New System Log for super admin privilege grant | May 7, 2025 |
Entitlement claims is GA in Production | January 2, 2025 |
POST requests to authorize endpoint is GA in Production | January 8, 2025 |
Authentication claims sharing between Okta orgs is GA in Preview | May 7, 2025 |
Shared signal transmitters is GA in Preview | May 7, 2025 |
Developer documentation update in 2025.05.0 | May 7, 2025 |
Bugs fixed in 2025.05.0 | May 7, 2025 |
Breached Credentials Protection is EA in Preview
Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See the Okta Policies API (opens new window).
This feature is following a slow rollout process beginning on May 15.
Custom admin roles for ITP
Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP (opens new window).
New User Role Targets API endpoint
The User Role Targets API now includes a new endpoint, Retrieve a role target by assignment type (opens new window), that retrieves role targets by user or group assignment type.
Define default values for custom user attributes
You can now define default values for custom attributes in a user profile. See the Update User Profile (opens new window) endpoint in the Schemas API.
Directories integration API is GA in Preview and Production
The Directories Integration API provides operations to manage Active Directory (AD) group memberships using Okta. This API enables you to define adding or removing users for AD groups. This is now generally available. Previously, this was only available to subscribers of Okta Identity Governance. See Directories Integration (opens new window).
Number matching challenge with the Factors API is GA in Preview
You can now send number matching challenges for Okta Verify push
factor enrollments when you send POST requests to the /users/{userId}/factors/{factorId}/verify
endpoint. For orgs that can't adopt Okta FastPass, this feature improves their overall security. See the Factors API (opens new window).
Claims sharing between third-party IdPs and Okta is GA in Preview
Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from a third-party IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Express Configuration for OIN apps
Express Configuration is a feature designed to automate the setup of SSO for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OpenID Connect (OIDC) integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Express Configuration.
New End-user Enrollments API is GA in Production
The new End-user Enrollments API (opens new window) enables end users to enroll and unenroll authenticators by entering a URL directly into their browser. This reduces the time spent administering complex authenticator enrollment flows, and provides a streamlined enrollment process for users. After a user enrolls or unenrolls an authenticator, you can use the redirect_uri
property to redirect them to another page.
New System Log for super admin privilege grant
A new System Log event now indicates when the super admin role (app.oauth2.client.privilege.grant
) is granted to an API service integration.
Entitlement claims is GA in Production
You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OpenID Connect claims and SAML assertions. See Federated claims with entitlements.
POST requests to authorize endpoint is GA in Production
You can now send user data securely in a POST request body to the /authorize endpoint.
Authentication claims sharing between Okta orgs is GA in Preview
Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Shared signal transmitters is GA in Preview
Okta uses CAEP (opens new window) to send security-related events and other data-subject signals to third-party security vendors. To enable the transmission of signals from Okta, create an SSF stream (opens new window) using the SSF Transmitter API. Then, configure the third-party receiver to accept signals sent as Security Event Tokens (SETs) (opens new window) from Okta. See the SSF Transmitter API (opens new window) and SSF Transmitter SET payload structures (opens new window).
New Applications API object
A new universalLogout
object is returned in the Applications API for orgs that have Identity Threat Protection enabled.
Developer documentation update in 2025.05.0
The new Integrate Okta with identity verification vendors guide describes how third-party identity verification (IDV) vendors can integrate with Okta. IDV vendors can use the guide to integrate their service with Okta orgs.
Bugs fixed in 2025.05.0
If a third-party SAML IdP sent the
session.amr
SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if the IdP didn't provide any AMR claims. (OKTA-922086)
April
Weekly release 2025.04.3
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.04.3 | April 30, 2025 |
Bugs fixed in 2025.04.3
Some versions of the Sign-In Widget v3 returned an error when trying to display the consent screen. (OKTA-755616)
The
user.profile.firstName
tag in email templates didn't escape or render Unicode characters correctly. (OKTA-840719)Requests made using the
sortBy
parameter with custom attributes to the List all users or List all groups endpoints threw an HTTP 400 Bad Request error. (OKTA-886166)Some admins with a custom role (
okta.apps.read
,okta.apps.clientCredentials.read
permissions) couldn’t view client secrets for apps that they had permission to view. (OKTA-893511)After their accounts were suspended, users who correctly answered their security question were moved to an Active status in API calls. (OKTA-897292)
The number of groups that could be returned in tokens for a groups claim was still restricted in the authorization code sign-in flow when an inline hook was used. (OKTA-907362)
When a resource set contained a
devices
resource, the Retrieve a resource endpoint returned anull
response for the devicesself
object. (OKTA-914364)When the List all Subscriptions API with a Workflows Administrator role (
WORKFLOWS_ADMIN
) was called, an HTTP 400 Bad Request error was returned. (OKTA-918276)Users received an HTTP 400 Bad Request error during self-service registration in preview orgs with a Registration Inline hook. (OKTA-918774)
When an Okta Classic Engine org was involved in a multi-org Okta-to-Okta authentication flow, and Okta-to-Okta claims sharing was enabled, the
OktaAuth
(SAML) andokta_auth
(OIDC) claims weren't processed correctly. (OKTA-918969)When Okta-to-Okta claims sharing was enabled, federated users who were sourced from a third-party identity provider were incorrectly prompted to provide a password on their hub org. (OKTA-919385)
Weekly release 2025.04.2
Change | Expected in Preview Orgs |
---|---|
Subscriptions API no longer supports OKTA_ISSUE | April 9, 2025 |
Bugs fixed in 2025.04.2 | April 16, 2025 |
Subscriptions API no longer supports OKTA_ISSUE
The Subscriptions API no longer supports the notificationType
value OKTA_ISSUE
.
Bugs fixed in 2025.04.2
Email notifications weren’t sent to end users when security methods were enrolled using POST requests to the
/users/{userId}/factors
endpoint and theactivate
parameter was set totrue
. (OKTA-891169)Updates made to ACS URIs for an app using the Applications API (PUT
/apps/{appId}
) didn't take effect if the app was created without those URLs. (OKTA-909218)
Weekly release 2025.04.1
Change | Expected in Preview Orgs |
---|---|
Advanced device posture checks | April 9, 2025 |
Claims sharing between third-party IdPs and Okta is self-service EA in Preview | April 9, 2025 |
Number matching challenge with the Factors API is self-service EA in Preview | April 9, 2025 |
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is self-service EA in Preview | April 2, 2025 |
Bugs fixed in 2025.04.1 | April 9, 2025 |
Advanced device posture checks
Advanced posture checks provide extended device assurance to users. It empowers admins to enforce compliance based on customized device attributes that extend beyond Okta’s standard checks. Using osquery, this feature facilitates real-time security assessments across macOS devices. As a result, orgs gain enhanced visibility and control over their device fleet and ensure that only trusted devices can access sensitive resources. See Configure advanced posture checks for device assurance (opens new window) and the Device Posture Checks API (opens new window).
Claims sharing between third-party IdPs and Okta is self-service EA in Preview
Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from a third-party IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Number matching challenge with the Factors API is self-service EA in Preview
You can now send number matching challenges for Okta Verify push
factor enrollments when you send POST requests to the /users/{userId}/factors/{factorId}/verify
endpoint. For orgs that can't adopt Okta FastPass, this feature improves their overall security. See the Factors API (opens new window).
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is self-service EA in Preview
Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth 2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.
To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support token autorotation, rotationMode=AUTO
. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).
Bugs fixed in 2025.04.1
In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)
The
id_token_hint
parameter was exposed in the System Log. (OKTA-890738)POST requests to the
/authorize
endpoint that contained query parameters received an error. (OKTA-905143)
Monthly release 2025.04.0
Change | Expected in Preview Orgs |
---|---|
Domain restrictions on Realms | April 23, 2025 |
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is EA in Preview | April 2, 2025 |
Retrieve the SSF Stream status is EA in Preview | April 2, 2025 |
OIN test account information deleted after 30 days | April 2, 2025 |
Risk Provider and Risk Events APIs are deprecated | April 2, 2025 |
POST requests to authorize endpoint is GA Preview | January 8, 2025 |
Integration variable limit increase in OIN Submission | April 2, 2025 |
Conditional requests and entity tags are GA in Production | January 16, 2025 |
New rate limit event type | April 2, 2025 |
Create dynamic resource sets with conditions is GA in Preview | November 7, 2024 |
Okta account management policy is GA in Production | December 11, 2024 |
Okta Sign-In Widget custom template updates | April 2, 2025 |
Developer documentation update in 2025.04.0 | April 2, 2025 |
Bugs fixed in 2025.04.0 | April 2, 2025 |
Domain restrictions on Realms
You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See the Realms (opens new window) and Realm Assignments (opens new window) APIs.
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is EA in Preview
Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth 2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.
To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support token auto-rotation, rotationMode=AUTO
. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).
Retrieve the SSF Stream status is EA in Preview
Retrieve the SSF Stream status endpoint (/api/v1/ssf/stream/status
) is now available. The status indicates whether the transmitter is able to transmit events over the stream. This endpoint is available if you have enabled the Enable Managed Apple ID federation and provisioning feature for your org.
OIN test account information deleted after 30 days
Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.
Risk Provider and Risk Events APIs are deprecated
These APIs have been deprecated. Use the SSF Security Event Tokens API instead to receive security-related events and other data-subject signals. Use the SSF Receiver API for third-party security event providers.
POST requests to authorize endpoint is GA Preview
You can now send user data securely in a POST request body to the /authorize
endpoint.
Integration variable limit increase in OIN Submission
The maximum number of integration variables allowed in OIN submission has increased from three to eight. The apps migrated from OIN Manager with more than eight variables can retain all existing variables but can't add new variables.
Conditional requests and entity tags are GA in Production
You can now use conditional requests and entity tags to tag and check for specific versions of resources. Currently this is only available to use with user profiles. See Conditional Requests and Entity Tags (opens new window).
New rate limit event type
This rate limit event type now appears in the System Log: system.rate_limit.configuration.update
. It logs the following:
- Changes to client-based rate limit settings
- Changes in the rate limit warning notification threshold
- If the rate limit notification is enabled or disabled
- Updates to the rate-limit percentage of an API token
Create dynamic resource sets with conditions is GA in Preview
Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions (opens new window) and the corresponding Resource Set Resources (opens new window) API.
Okta account management policy is GA in Production
The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, authenticator enrollment, and profile setting changes. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Configure an Okta account management policy.
Okta Sign-In Widget custom template updates
Admins can now use the useSiwGen3
variable in the sign-in page code editor to help with migrations from Gen2 to Gen3 of the Okta Sign-In Widget. See Use the code editor.
Developer documentation update in 2025.04.0
The Update a published integration with the OIN Wizard is a newly restructured guide which consists of our existing publish integration content and a brand new updating the attribute mapping flow section for SCIM integrations.
Bugs fixed in 2025.04.0
The result of System Log events triggered by the
use_dpop_nonce
OAuth 2.0 error was FAILURE instead of CHALLENGE. (OKTA-902314)When the Okta-to-Okta Claims Sharing feature was enabled, users who signed in using ADSSO on a spoke org were prompted for their password in the hub org. (OKTA-897340)
Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)
If an AAGUID key that wasn’t verified by the FIDO Alliance Metadata Service (MDS) was added to an authenticator group, then future PUT requests to
api/v1/authenticators/{authenticatorId}/methods/webauthn
failed. (OKTA-875920)The wrong HTTP error code was returned for the SSF stream creation operation when one stream already existed. (OKTA-868972)
A Policies API GET request (
/api/v1/policies
) returned arel="next"
link when there were no more results. (OKTA-858605)The OIN Submission Tester didn't support custom domains in the IdP flow. (OKTA-835402)
When
/api/v1/apps
was called, it returned all applications assigned, even though the user wasn't part of the assigned resource set. (OKTA-826548)
March
Weekly release 2025.03.3
Change | Expected in Preview Orgs |
---|---|
Advanced search using conditioned profile attributes | March 26, 2025 |
Bugs fixed in 2025.03.3 | March 26, 2025 |
Advanced search using conditioned profile attributes
If you have an admin role with permission conditions to access certain user profile attributes, you can now search for those users with those attributes. Note that this search enhancement doesn't support the OR
operator.
Bugs fixed in 2025.03.3
Custom role admins with permission conditions couldn't search for users by
firstName
orlastName
. (OKTA-894392)The
user.identity_verification
System Log event displayed an incorrect assurance level for completed identity verifications with DENY results. (OKTA-893343)Some PUT requests to the
brands/{brandId}/templates/email/{templateName}/settings
endpoint received HTTP 500 Internal Server Error messages. (OKTA-886167)GET requests to the
/api/v1/users/me/appLinks
endpoint sometimes returned an HTTP 500 Internal Server error. (OKTA-873694)
Weekly release 2025.03.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.03.1 | March 12, 2025 |
Bugs fixed in 2025.03.1
createdBy
andlastUpdatedBy
custom attributes couldn't be used in group rules. (OKTA-566492)Custom admins who were limited to viewing only application group members received incomplete results when using the
List All Users API
without asearch
orfilter
parameter. (OKTA-801592)The JSON Web Token that Okta generates and sends to the OpenID Connect identity provider contained a string
exp
instead of a number 'exp'. (OKTA-852446)When making POST requests to
users/{userId}/factors/{factorId}/verify
orauthn/factors/{factorId}/verify
endpoints withfactorType
instead offactorId
in the URL path, multiple failed verification attempts didn't lock users out and the failed attempts weren't logged in the System Log. (OKTA-871469)When Okta sent a request with a refresh token to the token inline hook, the session user was sometimes sent rather than the refresh token user in
request.data.context
. (OKTA-869758)
Monthly release 2025.03.0
Global token revocation for wizard SAML and OIDC apps is GA in Production
Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.
OIDC IdPs now support group sync is GA in Production
OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.
Granular account linking for certain Identity Providers is GA in Production
When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenId Connect and SAML 2.0.
Realms for Workforce is GA in Production
The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).
Improved group search functionality is GA in Production
You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co
operator within the search
parameter of the Groups API. See Operators (opens new window) and search
within the Groups API (opens new window).
Improved user search functionality is GA in Production
You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to do user lookups and add users to groups. Use the co
operator within the search
parameter of the Users API. See Operators (opens new window) and search
within the Users API (opens new window).
Improved realms and device search functionality is GA in Production
We've extended the contains (co
) operator to realms and devices. You can now search for realms and devices whose profile attributes contain specified text through API. This makes lookups easier without needing to recall the exact names of various profile attributes. Use the co
operator within the search
parameter. See Contains operator (opens new window) and the search
parameter in the Realms (opens new window) and Devices (opens new window) APIs.
New End-user Enrollments API is GA in Production
The new End-user Enrollments API (opens new window) enables end users to enroll and unenroll authenticators by entering a URL directly into their browser. This reduces the time spent administering complex authenticator enrollment flows, and provides a streamlined enrollment process for users. After a user enrolls or unenrolls an authenticator, you can use the redirect_uri
property to redirect them to another page.
CLEAR Verified as a third-party identity verification provider is EA in Preview
Okta now supports using CLEAR Verified as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_CLEAR
as the IdP type
when you create an IdP (opens new window).
Verify an SSF Stream is EA in Preview
Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. In addition, the SSF Transmitter verification events claim structure is now compliant with the OpenID Shared Signals Framework ID3 spec.
MyAccount Password API updates
Admins can now send a PUT request to the /idp/myaccount/password
endpoint to update the password for a user. Also, admins can send a GET request to the /idp/myaccount/password/complexity-requirements
endpoint to retrieve password complexity requirements. See Replace a Password (opens new window) and Retrieve the Password Complexity Requirements (opens new window).
Identity Security Posture Management functionality in the OIN catalog
The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.
Default global session policy rule update
The default value for the maxSessionLifetimeMinutes
property of the default global session policy rule is now 1440
(24 hours) and can be changed. Previously the maxSessionLifetimeMinutes
property of the default global session policy rule was read-only.
See the Policies API (opens new window).
Developer documentation updates in 2025.03.0
The list of public permissions has moved from the Roles in Okta (opens new window) topic to the Permissions in Okta (opens new window) topic. The new topic contains more permission details for you to define your custom admin roles.
A new section has been added to the API documentation: Sign-in Experience API (opens new window). It contains the new End-user Enrollments API that enables end users to enroll and unenroll authenticators by entering a URL directly into their browser.
Bugs fixed in 2025.03.0
Some certificates with trailing characters were uploaded successfully to the
/domains/{domainId}/certificate
endpoint, despite their invalid format. (OKTA-486406)An incorrect response was returned when a
/token
request was sent with an inactive user in a direct authentication flow. (OKTA-853984)
February
Weekly release 2025.02.2
Change | Expected in Preview Orgs |
---|---|
Incode as a third-party identity verification provider is EA in Preview | February 20, 2025 |
Bugs fixed in 2025.02.2 | February 20, 2025 |
Incode as a third-party identity verification provider is EA in Preview
Okta now supports using Incode as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_INCODE
as the IdP type
when you create an IdP (opens new window).
Bugs fixed in 2025.02.2
An API request to create a resource set with a duplicate name sometimes returned a 5xx error instead of a 4xx error response. (OKTA-867792)
Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)
The contains (
co
) operator sometimes gave unclear error messages when using less than three characters or with other operators. (OKTA-846206)When an admin attempted to revoke an API token (
DELETE /api/v1/api-tokens/{apiTokenId}
), and the credential used to authenticate the request was anaccess_token
for a Service client, an HTTP 403 error was returned. (OKTA-844384)
Weekly release 2025.02.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.02.1 | February 13, 2025 |
Bugs fixed in 2025.02.1
When a GET request was made using the User Grants API (
/api/v1/users/{userId}/grants
), the response didn't include pagination links in the response header. (OKTA-826775)The Users API returned inconsistent responses in Classic Engine orgs that allowed self-service registration and in Identity Engine orgs that were migrated from these orgs. (OKTA-833094)
In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
The On-Behalf of Token Exchange flow was returning the wrong error message when an invalid
subject_token_type
was requested. (OKTA-841223)When a POST request was made (
/api/v1/authorizationServers/{authServerId}/policies
) to create an authorization policy, thecreated
andlastUpdated
properties had a null value. (OKTA-848623)The
/user/verify_idx_credentials
endpoint didn't accept arbitraryfromUri
values. (OKTA-853353)AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
Some identity provider API POST (
/api/v1/idps
) and PUT (/api/v1/idps/{idpId}
) requests returned an HTTP 500 error code if the request didn't have thepolicy.accountLink
object in the request body. (OKTA-865143)
Monthly release 2025.02.0
Change | Expected in Preview Orgs |
---|---|
IP Exempt Zone is GA in Preview | October 23, 2024 |
Global token revocation for wizard SAML and OIDC apps is GA in Preview | September 11, 2024 |
OIDC IdPs now support group sync is GA in Preview | October 23, 2024 |
Granular account linking for certain identity providers is GA | December 11, 2024 |
Realms for Workforce is GA in Preview | February 13, 2025 |
Improved group search functionality is GA in Preview | February 12, 2025 |
Improved user search functionality is GA in Preview | February 12, 2025 |
Support for importing Active Directory group descriptions is GA in Production | February 6, 2025 |
Developer documentation updates in 2025.02.0 | February 6, 2025 |
Bugs fixed in 2025.02.0 | February 6, 2025 |
IP Exempt Zone is GA in Preview
This feature introduces useAsExemptList
as a read-only Boolean property that distinguishes the new default IP exempt zones from other zones. When you enable this feature and you make a GET api/v1/zones
request, Okta returns useAsExemptList
in the response. The value true
indicates that the zone is an exempt zone. Only system generated exempt zones are available.
Global token revocation for wizard SAML and OIDC apps is GA in Preview
Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.
OIDC IdPs now support group sync is GA in Preview
OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.
Granular account linking for certain identity providers is GA
When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenID Connect and SAML 2.0.
Realms for Workforce is GA in Preview
The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).
Improved group search functionality is GA in Preview
You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co
operator within the search
parameter of the Groups API. See Operators (opens new window) and search
within the Groups API (opens new window).
Improved user search functionality is GA in Preview
You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to add users to groups or apps. Use the co
operator within the search
parameter of the Users API. See Operators (opens new window) and search
within the Users API (opens new window).
Support for importing Active Directory group descriptions is GA in Production
The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.
Developer documentation updates in 2025.02.0
- The Style the Sign-In Widget (third generation) guide, under Brand and Customize, now describes how to use the
afterTransform
function. The function allows you to apply DOM customizations to the third generation of the widget. For example, you can useafterTransform
to change button text or to add an instructional paragraph. - The new Configure a device assurance policy guide, under Sign users in, describes how to manage device assurance policies in your org. The guide uses the Device Assurance Policies API to create and edit a policy, and add device assurance to an authentication policy. It also shows how to use the System Log API to check for device assurance events.
- The OIN Manager: submit an integration guide has been updated to include API service submission instructions.
Bugs fixed in 2025.02.0
- When calling deleted app users through the Apps API, the API returned a 500 internal server error instead of a 404 error. (OKTA-832609)
- PUT requests (
/api/v1/apps/appId
) to update an OpenID Connect app took 30 seconds to complete. (OKTA-852488) - When the List all devices API (opens new window) was used with a
search
query parameter, it sometimes returned outdated records forscreenLockType
andmanagementStatus
. (OKTA-856387)
January
Weekly release 2025.01.2
Change | Expected in Preview Orgs |
---|---|
Authentication claims sharing between Okta orgs is EA in Preview | January 29, 2025 |
Bugs fixed in 2025.01.2 | January 29, 2025 |
Authentication claims sharing between Okta orgs is EA in Preview
Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.
Bugs fixed in 2025.01.2
- When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (
/api/v1/zones/{DefaultExemptIpZone ID}
). (OKTA-817263) - The List all principal rate limits (opens new window) returned an empty response when querying with a custom
client_id
and using OAuth 2.0 for authentication. (OKTA-832687) - When a super admin updated a deactivated user to a different realm, admins received a
Resource not found
error. (OKTA-699778) - Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)
- Refresh tokens for OpenID Connect apps that have Single Logout enabled with user session details were getting invalidated before their max lifetime. (OKTA-730794)
- Account unlock didn't work for some orgs using the Okta account management policy. (OKTA-848066)
Weekly release 2025.01.1
Change | Expected in Preview Orgs |
---|---|
Bugs fixed in 2025.01.1 | January 15, 2025 |
Bugs fixed in 2025.01.1
When an admin attempted to delete an IdP using the SDK, the operation failed with an HTTP 500 response code. (OKTA-846005)
POST requests with an OAuth token to the
/devices/{deviceId}/lifecycle/deactivate
endpoint by an API service app using the Client Credentials flow returned 403 error responses. The deactivations succeeded in spite of the error response. (OKTA-838539)
Monthly release 2025.01.0
Change | Expected in Preview Orgs |
---|---|
Additional use case selection in the OIN Wizard | January 8, 2025 |
Configure Identity Verification with third-party Identity Verification providers is GA Production | October 2, 2024 |
Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access | January 8, 2025 |
Granular configuration for Keep Me Signed In is EA in Preview | January 8, 2025 |
Multiple Identifiers is GA in Preview | November 7, 2024 |
New group.source.id key for group functions in Expression Language | January 2, 2025 |
POST requests to the authorize endpoint is self-service EA | January 8, 2025 |
Bug fixed in 2025.01.0 | January 8, 2025 |
Additional use case selection in the OIN Wizard
Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:
- Automation
- Centralized Logging
- Directory and HR Sync
- Multifactor Authentication (MFA)
See OIN Wizard use case selection.
Configure Identity Verification with third-party Identity Verification providers is GA Production
You can now configure third-party Identity Verification providers using the IdP API and Okta account management policy rules. Okta supports Persona as a third-party Identity Verification provider.
Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. To configure an Identity Verification provider in the Admin Console, see Add an Identity Verification vendor as Identity Provider (opens new window).
Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access
The following API endpoints have been deprecated:
- Extend Okta Support access (opens new window) (
POST /api/v1/org/privacy/oktaSupport/extend
) - Grant Okta Support access (opens new window) (
POST /api/v1/org/privacy/oktaSupport/grant
) - Revoke Okta Support access (opens new window) (
POST /api/v1/org/privacy/oktaSupport/revoke
)
Use the Update an Okta Support case (opens new window) endpoint to extend, grant, or revoke Okta Support access for a specific support case. For the corresponding Okta Admin Console feature, see Give access to Okta Support (opens new window).
Granular configuration for Keep Me Signed In is EA in Preview
Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Configure Keep me signed in (KMSI).
The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.
Multiple Identifiers is GA in Preview
Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-in, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Configure multiple identifiers.
New group.source.id key for group functions in Expression Language
You can now use the group.source.id
key in Expression Language group functions to filter between groups that have the same name. See Group functions.
POST requests to the authorize endpoint is Self-Service EA
You can now send user data securely in a POST request body to the /authorize endpoint.
Developer documentation updates in 2025.01.0
The Sign users in to your SPA using redirect guides for the Angular and React platforms are now revised to use updated versions of Okta SDKs, framework dependencies, and coding patterns.
Bug fixed in 2025.01.0
Requests to the /policies/{policyId}/rules
and /policies/{policyId}/rules/{ruleId}
endpoints to create or update Okta account management policy rules included default Keep me signed in (KMSI) settings in the responses. (OKTA-848236)