Okta Identity Engine release notes (Production)

Okta Classic Engine release notes (Production)

Version: 2026.04.0

April 2026

Generally Available

Search for IdPs in the Sign-In Widget

When there are more than 10 IdPs on the Sign-In Widget, it now displays a search field so users can easily find the IdP they're looking for.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-01-05

Sign-In Widget, versions 7.44.1 and 7.44.0

For details about these releases, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Slack integration for Identity Governance

Okta for Government Moderate and Government High customers who use commercial Slack instances can now integrate Slack with their org to streamline access management in Access Requests and Access Certifications. Users can now submit and approve requests in Slack as well as receive Slack notifications for access requests and certification campaigns. Feature availability varies depending on whether the Unified requester experience feature is enabled. See Okta Identity Governance Limitations for Public Sector Service and Integrate Slack.

Custom admin permissions for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Provisioning for MuleSoft Anypoint Platform

Admins can now automate user lifecycle management for the MuleSoft Anypoint Platform app. This integration supports creating, updating, and deactivating users, and pushing groups as teams. See MuleSoft Anypoint Platform provisioning

URL validation for custom identity verification (IDV)

Validation has been added to the URL fields from the custom IDV configurations. This helps prevent malicious Distributed Denial-of-Service (DDoS) attacks based on Server-Side Request Forgery (SSRF).

Increase to the maximum access duration limit

When you create or edit access request conditions, you can now set the Access duration field to a maximum of 365 days or 52 weeks.

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy reevaluations, helping you focus only on what truly matters. See Session protection.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Early Access

Okta for AI Agents is self-service EA

Orgs that are subscribed to Okta for AI Agents can now enable the product from the Features page. You can use Okta for AI Agents to register, secure, and govern AI agent identities directly within Okta. See Manage AI agents.

New System Log events for Cross App Access connections

The following events are fired when you create, delete, or update a Cross App Access connection:

  • app.cross_app_access.connection.create
  • app.cross_app_access.connection.delete
  • app.cross_app_access.connection.update

IBM Db2 LUW support for On-premises Connector for Generic Databases

The On-premises Connector for Generic Databases now supports IBM Db2 LUW. This enables admins to manage users and entitlements in IBM Db2 LUW environments. See On-premises Connector for Generic Databases.

Fixes

  • Data was missing from the policy.rule.update System Log event. (OKTA-888091)

  • Users couldn't complete authentication or proceed past the sign-in page when a policy rule required user verification but users hadn't yet enrolled in that factor type. (OKTA-914818)

  • Apps created from the On-premises Connector for Generic Databases incorrectly appeared on the End-User Dashboard. Clicking the app resulted in an invalid redirect because the connector doesn't support SSO. (OKTA-1076893)

  • When users tried to sign in with an unenrolled passkey, the Sign-In Widget (third generation) error page didn't display the Username and Keep me signed in fields. (OKTA-1093610)

  • An incorrect error message was displayed when a Bidirectional Group Management issue occurred. (OKTA-1104305)

  • Users received an error if they double tapped Sign in with a Passkey on Safari or Chrome browser on iOS. (OKTA-1107055)

  • The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)

  • The passkey icon wasn't displayed consistently on the Sign-In Widget when the Create passkeys setting was enabled. (OKTA-1109452)

  • In some orgs, when users authenticated with an OIDC IdP, Okta deleted their account and made them a new one with a different user ID. (OKTA-1112671)

  • When an admin deactivated a Group Push mapping rule, membership updates stopped for previously matched groups. (OKTA-1125151)

  • When a DirSync import failed with a permission error, the agent was operational but had the Disruption label in the Admin Console. (OKTA-1128087)

  • Some admins couldn't use the Send a test email feature with their custom email provider. (OKTA-1129589)

Okta Integration Network

  • Dokio now supports an additional custom attribute.

  • Reftab Discovery (API Service) now supports the Groups Read scope.

  • ZoomInfo (SCIM) was updated.

Version: 2026.03.0

March 2026

Generally Available

Sign-In Widget, version 7.43.0

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Identity Threat Protection (ITP) page for eligible orgs

In eligible orgs, super admins can now access the Security > Identity Threat Protection page. The page provides information about how ITP works and helps super admins contact Okta to start a trial of the product. The page is also available from the Security Monitoring widget on the Administrator Dashboard. See Identity Threat Protection with Okta AI.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for the device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

  • You couldn't search for and select users with Provisioned, Active, Recovery, Password Expired, or Locked out status when assigning a step in an approval sequence and in request types. (OKTA-944822)

  • Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)

  • Some users couldn't upload valid YubiKey seed files. (OKTA-1078087)

  • Some users saw a Failed to fetch error message on the Sign-In Widget when they tried to reset their password using email. (OKTA-1083742)

  • In some orgs, users who authenticated on a shared device could be signed in as a previous user. (OKTA-1100263)

  • The passkeys option was missing from some text strings in the Sign-In Widget. (OKTA-1108991)

  • The Access Testing Tool incorrectly evaluated authentication policy rules for Android devices with Device Assurance. (OKTA-1111439)

  • When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)

  • Bot detection events were logged for standard Admin/Management API calls when the Sign-In Widget wasn't involved. (OKTA-1113990)

  • Sometimes users on mobile devices saw a legacy authentication flow instead of the expected interface when they attempted to authenticate without Okta Verify installed. (OKTA-1115306)

  • In some preview orgs, admins didn't see the Security > Authentication Policies page. (OKTA-1119757)

  • Some orgs couldn't send email through their custom SMTP. (OKTA-1124146)

Okta Integration Network

  • Guardare (SAML) is now available. Learn more.

  • Valence Remediation (API) is now available. Learn more.

  • Cato Networks Provisioning now supports user imports and updates.

  • PerimeterX now supports SAML.

  • PerimeterX now supports SCIM.

  • Druva Data Security Cloud (API Service) now has the okta.clients.read scope.

  • Natoma has a new app icon.

  • Adobe Creative (SWA) was updated.

  • Adobe Fonts (SWA) was updated.

Weekly Updates

2026.03.1: Update 1 started deployment on March 16

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 14, 15, 16 security patch 2026-03-01
  • iOS 18.7.6
  • iOS 26.3.1
  • macOS 26.3.1

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Device assurance OS version update

Windows 11 (26H1) isn't a supported release under Device Assurance policies. This is a special release only for select new devices.

Fixes

  • An error occurred when an admin attempted to add a duplicate SWA integration. (OKTA-600590)

  • Authentication policy rules with user type conditions weren't evaluated when users initiated a Native to Web SSO flow using an interclient token. (OKTA-1103810)

  • When DirSync was enabled, AD incremental imports removed group description values in Okta. (OKTA-1108167)

  • When an admin integrated an app through the API, some of the custom SSO properties didn't populate on the integration page. (OKTA-1109692)

  • The Add Resource dialog couldn't load more users or groups if the search term included special characters. (OKTA-1114749)

  • When an admin pressed the Enter key to select a recent spotlight search result, the search field disappeared. (OKTA-1115374)

  • The Microsoft Teams app integration incorrectly redirected users to an outdated URL during the Secure Web Authentication (SWA) flow. (OKTA-1117744)

  • The mandatory SSO configuration check for testing information was incorrectly bypassed for all SSO submissions. (OKTA-1119127)

  • Workflows admins couldn't edit their admin email notifications. (OKTA-1119296)

  • When admins provisioned users, incremental synchronizations for permission sets failed. The connector pushed duplicate permission set assignments, which resulted in errors for sets already assigned to the user. (OKTA-1121168)

  • Admins could initiate temporary password resets for users sourced from Okta, Active Directory (AD), or LDAP, bypassing the password policy that disabled self-service password reset. (OKTA-1122913)

  • The Sign-In Widget didn't load the bot protection enforcement challenge required on some endpoints, leading to an incorrect user redirect to a 403 page. (OKTA-1125106)

Okta Integration Network

  • CyberProof Threat Exposure Management Platform (API integration) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SAML) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SCIM) is now available. Learn more.

  • Sensor Tower (SAML) is now available. Learn more.

  • YakChat (OIDC) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (OIDC) has a new Redirect URI. Learn more.

  • JetBrains (SWA) was updated.

2026.03.2: Update 2 started deployment on March 23

Generally Available

Sign-In Widget, version 7.40.4

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Windows 10 (10.0.17763.8511, 10.0.19044.7058, 10.0.19045.7058)
  • Windows 11 (10.0.22631.6783, 10.0.26100.8037, 10.0.26200.8037)

See Okta Device Assurance: Supported OS levels.

Okta Provisioning agent, version 3.1.0

Okta Provisioning agent 3.1.0 is now available. This version introduces strict SCIM error validation to ensure standard compliance and resolves an issue that prevented the agent from starting. See Okta Provisioning agent and SDK version history.

Fixes

  • The Go to Profile Editor and Force Sync buttons weren't disabled for read-only admins. (OKTA-1031561)

  • Users couldn't press the escape key to close the navigation menu in My Settings. (OKTA-1047944)

  • OIDC-configured Org2Org apps appeared as eligible for SAML conversion on the Tasks page in the Admin Console. (OKTA-1053194)

  • Admins were prematurely signed out when using non-registered devices to access apps protected by Chrome Device Trust. (OKTA-1093201)

  • Okta Verify enrollment flows didn't work consistently with the Okta account management policy. (OKTA-1100648)

  • In orgs with SAML Okta Org2Org integrations, the Sign-In Widget sometimes displayed incorrect user information. (OKTA-1102232)

  • Screen readers couldn't detect duplicate error messages in the Sign-In Widget (third generation). (OKTA-1109288)

  • After an update, the Okta Provisioning Agent failed to start due to a permission error on the bundled Java binary. (OKTA-1110701)

  • SCIM OAuth2 token expiration dates set beyond January 19, 2038 were incorrectly stored. (OKTA-1111756)

  • During AD password migrations, some users who performed a password change were migrated with a stale password. (OKTA-1115797)

  • Some AD users' sessions weren't terminated after they changed their password and clicked Sign out from all other devices. (OKTA-1119410)

  • Brackets in OIN display names didn't appear on the app integration pages. (OKTA-1122916)

  • When user enumeration prevention was enabled, the self-service unlock flow wasn't triggered for users on known devices. (OKTA-1123124)

  • When a SCIM server returned a 404 Not Found error during an on-premises provisioning import, the agent interpreted the error as a completed import. This resulted in a partial import that deprovisioned some users. (OKTA-1123270)

  • On the Administrators > Admins tab, the info icon was missing for admins with more than 10 role assignments. (OKTA-1125121)

Okta Integration Network

  • Brellium (OIDC) is now available. Learn more.

  • Brellium (SCIM) is now available. Learn more.

  • Doppel (OIDC) is now available. Learn more.

  • Draftwise (SAML) is now available. Learn more.

  • Guardare - EU (SAML) is now available. Learn more.

  • Portnox (OIDC) is now available. Learn more.

  • Doppel (OIDC) now supports Express Configuration.

  • Doppel (OIDC) now supports Universal Logout.

  • IdentiGuard (API Service) now has the okta.users.read and okta.factors.read scopes.

  • 6sense legacy (SAML) was updated.

  • Google Cloud Workforce Identity Federation was updated.

  • Jack Henry & Associates Client Portal (SWA) was updated.

  • Observe.AI (SCIM) was updated.

  • UPS (SWA) was updated.

  • ZoomInfo (SCIM) was updated.

2026.03.3: Update 3 started deployment on March 30

Generally Available

Provisioning for ThoughtSpot

Provisioning is now available for the ThoughtSpot app integration. When you provision the app, you can enable security features like Entitlement Management. See ThoughtSpot.

Jamf Pro User Enrollment provisioning

Admins can automate user lifecycle management and use OAuth-based authentication to support user provisioning, profile updates, and deactivation. This integration also supports importing users and pushing groups from Okta to Jamf Pro User Enrollment. See Jamf Pro User Enrollment.

Fixes

  • In the OIN Wizard, ISVs were unable to edit integrations after a published instance was generated. A repetitive instance generation loop prevented access to the editing interface and blocked configuration updates. (OKTA-1100298)

  • For Native to Web SSO, the issuer validation for SAML app intent links was too strict. (OKTA-1115767)

  • Admins couldn't edit the authenticator enrollment policy for custom one-time passcodes when the grace periods feature was enabled. (OKTA-1121225)

  • Some users saw an error message when they tried to sign out from the My Settings page. (OKTA-1126441)

  • Some report admins received a 403 error when loading the Authentication Activity report. (OKTA-1126512)

  • When users attempted to authenticate on Android devices, some password managers didn't allow them to register passkeys. (OKTA-1135513)

  • The Sign-In Widget didn't load the bot protection enforcement challenge required on some endpoints, leading to an incorrect user redirect to a 403 page. (OKTA-1136962)

  • Okta Verify out-of-band authentication enrollment failed when the Okta account management policy was evaluated. (OKTA-1142207)

Okta Integration Network

  • Archlet (OIDC) is now available. Learn more.

  • Archlet (Staging) (OIDC) is now available. Learn more.

  • Brevity (SCIM) is now available. Learn more.

  • Jamf Admin Access (OIDC) is now available. Learn more.

  • Parabol (SCIM) is now available. Learn more.

  • Tiled (SAML) is now available. Learn more.

  • Archlet (Staging) now supports Express Configuration.

  • Archlet (Staging) now supports Universal Logout.

  • Archlet now supports Express Configuration.

  • Jamf Admin Access now supports Express Configuration.

  • Jamf Admin Access now supports Universal Logout.

  • Tiled now supports SCIM.

  • Brevity has a new integration guide.

  • Fabrix Smart Action (API Service) now has the okta.apps.manage, okta.users.manage and okta.users.read scopes.

  • Parabol has a new logo, SAML Configuration Guide, and App description.

  • Udemy Business has a new optional App Instance Property and a new configuration guide. Learn more.

  • Campaigner (SWA) was updated.

Version: 2026.02.0

February 2026

Generally Available

Sign-In Widget, versions 7.40.0, 7.41.0, 7.42.0, 7.43.0

For details about these releases, see the Sign-In Widget release notes. For more information about the Sign-In Widget, see the Okta Sign-In Widget.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

  • The Generic Database Connector now supports Base64 encoded path parameters.
  • Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • iOS 26.2.1
  • iOS 18.7.4

The following versions are no longer supported:

  • Windows 11 (10.0.22621.0, 10.0.22621.6060)

Updated Sign-In Widget instructions for Chrome 145

The remediation instructions in the Sign-In Widget now reflect Chrome 145 permission changes that differentiate between local and loopback networks. This update describes the permission as Access other apps and services on this device, rather than Look for and connect to any device on your local network. The updated instructions ensure that users see accurate guidance when prompted to allow Okta Verify to communicate with the browser. See Chrome device permissions.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

UI improvements to the User profile risk tab

Columns of the table on the User profile risk tab have been reordered for better visibility, and context change events have been replaced with policy violation events.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26

This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport

Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Custom FIDO2 AAGUID

Customers can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives customers greater flexibility and control over the security in their environment.

Early Access

Device-Bound Single Sign-On

Device-Bound Single Sign-On initiates a hardware-protected session for seamless access to apps after users sign in to Okta-joined macOS and Windows devices. This feature provides session replay protection and a streamlined authentication experience. See Device-Bound Single Sign-On.

Okta FastPass using SSO extension now supports Chrome on macOS

You can now enable the SSO extension support for Chrome on macOS option to support use of the SSO extension on Chrome 146 or later. This ensures seamless authentication for users on the latest browser versions on macOS.

Okta as a fallback identity provider

This feature redirects users to Okta to authenticate if the primary identity provider can't establish their identity. This can happen because of explicit rejections, like invalid credentials and MFA failures, or if an existing user session can't be silently verified, such as during a prompt=none OIDC request or IsPassive=true SAML request. See Configure identity provider routing rules.

Authentication Activity report

The Authentication Activity report provides detailed authentication insights including Okta FastPass usage, complementing the MFA Activity report. You can view activity filtered by device type (Android, iOS, macOS, Windows), management state (managed, unmanaged), registration status (registered, unregistered), and verification method (TOTP, Push, Okta FastPass). See Authentication Activity report.

OAuth 2.0 support for custom email providers

You can now configure custom email providers with OAuth 2.0 authentication. You can choose between two OAuth 2.0 client configurations to fetch access tokens and use those access tokens to authenticate with your email provider's SMTP server. See Use your own email provider.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Detect and discover AI agents.

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Bot protection

Bot protection enables orgs to automatically identify and mitigate bot traffic by configuring remediation actions within the Identity Threat Protection (ITP) landing page. See Bot protection.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkeys (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the Passkeys (FIDO2 WebAuthn) authenticator.

Enhanced breached credentials protection

This feature provides a premium breached credentials detection feed for Okta Customer Identity (OCI) customers with Identity Threat Protection which identifies more compromised credentials sooner. See Breached credentials protection.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Fixes

  • When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)

  • Downloaded versions of the Session Protection Violation report displayed an outdated report name. (OKTA-945660)

  • The Okta user status found in Get User API calls was inconsistent with the status in the User Profile page of the Admin Console. (OKTA-998996)

  • Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)

  • Users who entered an invalid activation code in the Sign-In Widget (third generation) were redirected to an error page and had to restart the sign-in flow. (OKTA-1062744)

  • On the Authenticator groups page, the Edit option didn't work if the group contained an AAGUID that had been removed from the FIDO Metadata Service (MDS) catalog. (OKTA-1065999)

  • No policy.rule.update event was recorded in the System Log when the Session Protection Status was changed. (OKTA-1067983)

  • The CSP allowlist blocked the CAPTCHA script from running on the Agentless Desktop SSO endpoint. (OKTA-1079691)

  • When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)

  • Users were required to sign out twice from the Settings page when both the End User Settings V2 and Device-Bound SSO features were enabled. (OKTA-1082227)

  • When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

  • The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

  • For some orgs using ITP, network zone matching failed when policies were re-evaluated during a session. (OKTA-1091799)

  • Admins could delete authenticators that were used in app sign-in policies. (OKTA-1093364)

  • Some users saw an infinite redirect loop when they tried to access their account settings using the Safari browser. (OKTA-1093837)

Okta Integration Network

  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.

  • HashiCorp Vault (OIDC) is now available. Learn more.

  • Instagram (SWA) was updated.

  • Mailchimp (SWA) was updated.

  • Solarwinds Customer Portal (SWA) was updated.

  • Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Weekly Updates

2026.02.1: Update 1 started deployment on February 17

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-02-01

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Fixes

  • Group rules sometimes failed when they were executed immediately after a group rule was deleted. (OKTA-880814)

  • Group push sometimes failed during deployments. (OKTA-941489)

  • In orgs with the Enable Custom Admin Roles for Identity Providers Early Access feature enabled, admins with View IdP or Manage IdP custom admin roles couldn't configure existing IdPs, even though they had the right permissions. (OKTA-1091232)

  • When the display language was set to French, the Agents and API > Tokens pages weren't translated. (OKTA-1104991)

  • App imports failed with a BeanCreationNotAllowedException error when system deployments interrupted the process. (OKTA-1105164)

  • When a user's API status was suspended, but their user status differed, their password was incorrectly able to be expired. (OKTA-1108658)

Okta Integration Network

  • Priverion Platform SSO with SCIM 2.0 (SAML) is now available. Learn more.

  • Priverion Platform SSO with SCIM 2.0 (SCIM) is now available. Learn more.

  • Webrix (OIDC) is now available. Learn more.

  • Webrix (SCIM) is now available. Learn more.

  • BrandLife (OIDC) is now available. Learn more.

  • Brava Security (OIDC) is now available. Learn more.

  • Brava Security now supports Express Configuration.

  • WideField Security - Detect has a new integration guide.

  • Druva Data Security Cloud (API) now has the okta.authorizationServers.manage, okta.devices.read, okta.idps.manage, and okta.roles.manage scopes.

  • Vanta (SAML, SCIM) was updated.

2026.02.2: Update 2 started deployment on February 23

Generally Available

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

Sign-In Widget, version 7.40.5

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Sign-In Widget, version 7.40.4

For details about this release, see Sign-In Widget Release Notes. For more information about the widget, see Okta Sign-In Widget.

Fixes

  • In the OIN Wizard, the Last Published date was incorrect. (OKTA-670448)

  • The Sign-In Widget stopped processing the authentication challenge for some users signing in with Okta FastPass. (OKTA-938817)

  • When admins configured custom array profile attributes, users saw inconsistent UI elements on the Personal information page of the End User Settings version 2.0. (OKTA-978783)

  • For some Native to Web SSO events, the System Log didn't display information about the interclient token ID. (OKTA-1063754)

  • IdP icons weren't displayed during authentication when the Skip the verify screen and redirect to the IdP authenticator feature was enabled. (OKTA-1080293)

  • Admins could assign new app sign-in policies to the Desktop MFA app. (OKTA-1094313)

  • Users couldn't reset a forgotten password if the Okta account management policy was required for password expiration. (OKTA-1099641)

  • When the Sign-In Widget was embedded in an iframe, Chrome device trust signal collection was blocked. This prevented users from accessing apps that required a device trust signal. (OKTA-1105149)

  • When End User Settings version 2.0 was enabled, some users couldn't update their Delegated Authentication passwords. (OKTA-1107875)

  • Users couldn't perform a self-service unlock if User Enumeration Prevention was selected for recovery only and the Show Lockout Failures feature was enabled. (OKTA-1109956)

  • When the display language was set to French, the list of network zones on the Networks page wasn't translated. (OKTA-1111126)

  • When the display language was set to French, some of the button labels on the Set up Active Directory pages weren't translated. (OKTA-1111128)

  • In some orgs, admins couldn't activate or deactivate IdP routing rules. (OKTA-1112099)

  • In orgs with Device claims support for Okta-to-Okta Claims Sharing enabled, claims weren't sent in the SAML assertion if device signals weren't collected in the IdP org. (OKTA-1112627)

Okta Integration Network

  • Natoma (SCIM) is now available. Learn more.

  • Natoma (SAML) is now available. Learn more.

  • 6sense legacy (SCIM) is now available. Learn more.

  • Four/Four (OIDC) is now available. Learn more.

  • Docupilot (SAML) is now available. Learn more..

  • IdentiGuard (API Service) has new scopes. Learn more.

  • Zylo now supports the okta.userTypes.read and okta.schemas.read scopes.

  • Zylo with Okta Actions (API Service) now supports the okta.userTypes.read and okta.schemas.read scopes.

  • Drata (OIDC) has new redirect URIs. Learn more.

  • 6sense - Platform has a new app description and is rebranded as 6sense legacy.

  • RevSpace (OIDC) has new app icon.

  • Hubspot (SWA) was updated.

2026.02.3: Update 3 started deployment on March 2

Fixes

  • In the Okta Integration Network wizard, some configuration fields for OIDC and SAML didn't consistently validate inputs against malicious expressions or URLs. (OKTA-983340)

  • When creating an AD integration, the Admin Console displayed the incorrect organization URL for the Okta Active Directory agent. (OKTA-1044074)

  • When admins edited certain Microsoft Office 365 authentication policy rules, the AND User must authenticate with field incorrectly displayed Any 1 factor type instead of the configured assurance requirement. (OKTA-1055783)

  • When admins enabled Force rematch on subsequent imports, unconfirmed users with an exact match weren't automatically matched or confirmed during scheduled imports. (OKTA-1087380)

  • When LDAP users were provisioned using a Generalized Time attribute from Okta to LDAP OID or OpenDJ, the time was incorrectly formatted. (OKTA-1096662)

  • When an admin selected Create or Update in the provisioning settings of an Office 365 app, and then canceled the changes, the Manage Provisioning Scope section disappeared from the To App tab when they navigated away and back to the page. (OKTA-1105441)

  • The policy.evaluate_sign_on event in the System Log was missing the IdvReferenceId field for identity proofing policies. (OKTA-1111157)

  • Adding a group to an AD password migration sometimes resulted in a 500 internal server error. (OKTA-1114115)

  • Some UI elements were misaligned on the Detection and Response tab of the Identity Threat Protection page. (OKTA-1115281)

  • Orchestrated import jobs sometimes failed when an object lacked an ancestor. This caused the import process to stop unexpectedly while handling group memberships or deleted objects. (OKTA-1115537)

  • An error occurred when an admin unlinked an app from an AI agent. (OKTA-1116036)

Okta Integration Network

  • Brain Payroll (OIDC) is now available. Learn more.

  • Neo (API Service) is now available. Learn more.

  • Operant MCP Gateway (OIDC) is now available. Learn more.

  • Speeda (OIDC) is now available. Learn more.

  • Zerocater (OIDC) is now available. Learn more.

  • Zerocater (SCIM) is now available. Learn more.

  • Zerocater now supports Universal Logout.