Okta Classic Engine release notes (Production)

Version: 2025.05.0

May 2025

Generally Available

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Microsoft Office 365 Single Sign-on integration supports SHA-256

The Office 365 SSO integration (WS-Fed Auto and Manual) now uses SHA-256 for signing the authentication token.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.3.0 and Okta Provisioning agent SDK 2.2.0 are now available. These releases contain bug fixes and minor improvements. See Okta Provisioning agent and SDK version history.

Device assurance OS version updates

Device assurance policies now support the following OS versions

Android 12, 13, 14, and 15 to security patch 2025-05-01
iOS 18.4.1
macOS Sequoia 15.4.1
Windows 10 (10.0.17763.7136, 10.0.19044.5737, 10.0.19045.5737)
Windows 11 (10.0.22621.5189, 10.0.22631.5189, 10.0.26100.3775)

Removal of device support for Windows 11 21H2

Okta Verify no longer supports devices that use Windows 11 21H2. See Supported platforms for Okta Verify.

Support for additional attributes in Office 365's Universal Sync

Office 365's Universal Sync now enables users to access Kerberos resources with Windows Hello for Business. See Supported user profile attributes for Office 365 provisioning

Improved Documentation Search

The search functionality on Okta help has been updated with the following improvements:

Localized Japanese search: Supports localized searches in Japanese for all translated content.
Focused results: Searches take place directly in Okta help instead of rerouting users to the Okta Help Center.

These features are now available on Okta help to help users quickly locate relevant documentation for their specific needs.

Okta Active Directory agent, version 3.20.0

This release includes support for enhanced incremental imports from AD using DirSync. Incremental import with DirSync avoids full imports and offers delta imports with AD that significantly improves performance. Configuration and opt-in is required within Okta after an agent update. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

New protected action

Creating API tokens is now a protected action. When you enable this feature in your org, admins are prompted for authentication when they perform create an API token, at an interval that you specify. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org. See Protected actions in the Admin Console.

Updates to the advanced search filters

The operators dropdown menu in the Advanced search section on people, groups and group membership pages shows all options and grays out the options that aren't applicable.

ADFS version 1.8.3

Bug fixes and security hardening.

Updated text for the Login.gov IdP

For the Login.gov IdP, the Type of Identity Verification label has been updated to Type of Service Level, and the list of possible service levels has been updated.

MFA enabled by default in new app sign-on rules

Multifactor authentication (MFA) is now enabled by default in new app sign-on rules when MFA factors are available to users. Additionally, reauthentications are now set to once per day by default.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Early Access

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.

This feature is following a slow rollout process beginning on May 15.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Fixes

When doing incremental imports using Okta Provisioning agent, users whose profiles weren't modified were removed from groups in Okta. (OKTA-884952)
The border for the table of Active Directory instances on the Delegated Authentication page was missing. (OKTA-893589)
When admins enabled the Unified Look and Feel for Okta Admin Console feature, some user interface elements didn't render correctly on Default Policy pages. (OKTA-903370)
Some users saw a login hint in the UserHome page URL for OIDC apps even though login hints were disabled. (OKTA-919432)
Super admins couldn't always access Workflows with the role-based access control (RBAC) feature enable. (OKTA-920704)
When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if IdP didn't provide any AMR claims. (OKTA-922086)
PERIMETER81_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-923426)
When a call to activate a downstream app user failed while activating a user, the user was stuck in an activating status. (OKTA-925217)
If a third-party SAML IdP sent the session.amr SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)
Starting with version 136, Chrome no longer returned the thirdPartyBlockingEnabled signal, and users whose Device Assurance policies relied on the signal were denied access to their resources. (OKTA-927884)

Okta Integration Network

JoVE (SAML) is now available. Learn more.
Partner Element (OIDC) is now available. Learn more.

Weekly Updates

2025.5.1: Update 1 started deployment on May 19

Generally Available

On-Prem MFA agent, version 1.8.2

Version 1.8.2 of the On-Prem MFA agent is now available. This version includes security enhancements.

New filter and columns for Access Certifications reports

You can use the Campaign ID filter in the Past campaign details and Past campaign summary reports. You can find a campaign's ID from System Log events or from the URL for the campaign details page. Additionally, the following columns are available for use in the Admin Console.

Past campaign details report:
- User email
- Reviewer email
- Reviewer reassigned
Past campaign summary report:
- Campaign resource count

Fixes

Some System Log entries showed the wrong user agent operating system version for risk scoring and new device detection events. (OKTA-792841)
The Application Usage report didn't include successful RADIUS authentications. (OKTA-815504)
Some users didn't receive emails from Okta. (OKTA-826144)
When users edited an authorization server on the Security > API page, the value of the Type column on the Claims tab incorrectly wrapped to a second line. (OKTA-863707)
Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)
When users edited an authorization server on the Security > API page, some user interface elements had the wrong background color. (OKTA-893509)
Some user interface elements on the API Token page had the wrong background color. (OKTA-893608)
Some users saw an extra line at the bottom of the Identity Providers page. (OKTA-893613)
Some user interface elements had incorrect spacing on the Okta API Scopes tab of app pages. (OKTA-905018)
Email notifications for the super admin role weren't applied consistently when all admin email notification settings were selected for the role. (OKTA-906587)
Agents in an error state were properly displayed on the Agent Monitors page for their respective directory integration but weren't displayed on the Admin Dashboard. (OKTA-910056)
On the Add resource dialog, the Show more button didn't display all the resources that were already included in the resource set. (OKTA-921890)
Some Org2Org users were unable to sign in after they completed multifactor authentication. (OKTA-932258)
Some Org2Org users saw an error message after they completed multifactor authentication when Claims Sharing was enabled. (OKTA-932402)
When Okta-to-Okta claims sharing was enabled for a Classic Engine org to an Identity Engine org flow, and the State Token for All Flows feature flag was enabled in the Classic Engine org, users were prompted for MFA on the Identity Engine org when MFA had already been completed on the Classic Engine org. (OKTA-932454)
After signing in to Okta on a mobile device (either Android or iOS), opening the menu resulted in the screen flickering. (OKTA-933477)
Updating an LDAP-sourced user profile sometimes resulted in an error. (OKTA-939330)

Okta Integration Network

Attribute Dashboard (OIDC) now supports IdP-initiated SSO flows.
DX (SAML) is now available. Learn more.
Embrace (SAML) is now available. Learn more.
Merkle (OIDC) is now available. Learn more.
SAP Concur by Aquera is now available. Learn more.
SAP S/4HANA by Aquera (SCIM) is now available. Learn more.

Version: 2025.04.0

April 2025

Generally Available

Secure Identity Integrations

Secure Identity Integrations (SII) provides additional depth for the 50+ most-used enterprise SaaS applications with the inclusion of SSO, SCIM, Apps with entitlement support, Universal Logout, Workflows, and Identity Security Posture Management (ISPM).

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.2.1 and Okta Provisioning agent SDK 2.1.1 are now available. These releases contain bug fixes and minor improvements.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

Okta Verified text removed from the OIN

In the OIN catalog, the Okta Verified disclaimer has been removed from the app integration pages.

Early Access

Manage Active Directory accounts in Okta Privileged Access

This feature allows management of Active Directory (AD) account passwords through Okta Privileged Access using the Okta AD Agent. Admins can set discovery rules for accounts in specific organizational units (OUs) and create policies for user access, ensuring passwords are rotated upon check-in or on a schedule. Users with access can view their assigned accounts and retrieve passwords. To enable this feature, contact Okta support. See Manage Active Directory accounts

OAuth 2.0 provisioning for Org2Org with Auto-Rotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

On-prem Connector for SAP Netweaver ABAP supports more attributes

Okta On-prem Connector now supports more user attributes, which enables better integration between Okta and SAP Netweaver ABAP.

Fixes

Custom app logos didn't appear on the app's page. (OKTA-655724)
This update applied general security fixes. (OKTA-690936)
The reported results of an import varied between what was displayed when the import finished, the import summary email, and the values displayed on the Import Monitoring page. (OKTA-739010)
The MFA Factor column in the MFA Usage report displayed the name Windows Hello (Web Authentication) for the FIDO2 (WebAuthn) factor.
(OKTA-848611)
The SettingsAPI menu appeared to some admins who didn't have permission to view it. (OKTA-856337)
Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)
The Import Monitoring page was viewable by admins who didn't have the necessary permissions. Accessing the page resulted in a 403 error. (OKTA-880835)
Sometimes a Null Pointer Exception error occurred when performing a group push to Google Workspace. (OKTA-886861)
Admins couldn't disable the Trust claims from this identity provider setting. (OKTA-899883)
LDAP agents failed to parse queries when group names had special characters. (OKTA-902231)

Okta Integration Network

AppVentory (API Service) is now available. Learn more.
Curricula (SAML) has a new integration guide.
Fabrix (API Service) is now available. Learn more.
GoSearch (SCIM) now supports Group Push.
OpenAI by Aquera (SCIM) is now available. Learn more.
Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
Suger (OIDC) is now available. Learn more.
Suger (SCIM) is now available. Learn more.
Warp Employee Provisioning (API Service) is now available. Learn more.

Weekly Updates

2025.4.1: Update 1 started deployment on April 14

Generally Available

New look and feel in Access Requests

The Access Requests console and Okta Access Requests web app now have a new look and feel, including redesigned side and top navigation menus and the addition of a gray background. Additionally, Dark mode is no longer available for Access Requests.

Fixes

In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)
The Edit role screen didn't always display the correct Workflow permissions. (OKTA-886964)
Super admins saw an error when they attempted to reset a user's factors. (OKTA-890695)
The id_token_hint parameter was exposed in the System Log. (OKTA-890738)
When a user interacted with the Graph API in Azure Active Directory PowerShell, the activity was incorrectly logged in Office 365. (OKTA-896032)
Users couldn't sign in to the Office 365 GCC High OIN app if it was integrated with WS-Fed. (OKTA-899506)
On the Give access to Okta Support page, the Provide Support access for self-assigned cases section sometimes didn't display the correct cases. (OKTA-909308)
A JavaScript issue prevented users from accessing the Glory app. (OKTA-917414)

Okta Integration Network

Adroll by Aquera (SCIM) is now available. Learn more.
Hero (API Service) is now available. Learn more.
Hyperproof (SCIM) is now available. Learn more.
Microsoft Dynamics 365 BC by Aquera (SCIM) is now available. Learn more.
ZAMP (OIDC) has additional redirect URIs.

2025.4.2: Update 2 started deployment on April 21

Generally Available

Trust incidents and updates checkbox removed

On the Account page, the Admin email notifications section no longer has the Trust incidents and updates checkbox. Admins can subscribe to this communication type through https://status.okta.com.

Fixes

When users tried to sign in from outside of their permitted network zone, they saw a Contact your administrator link on the error page even though the admin disabled the link. (OKTA-874992)
Super admins couldn't update the operator for profile attribute conditions on a custom admin role. (OKTA-884966)
Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)
Desktop Multifactor Authentication (MFA) push notifications gave the wrong name for the computer's operating system. (OKTA-902839)
When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)
Some text strings in the Move user to realm page weren't translated. (OKTA-909317)
When the Unified look and feel for Okta Admin Console feature was enabled, users' names didn't always render correctly. (OKTA-909497)
Users received a 400 Bad Request error during self-service registration in preview orgs with inline hooks. (OKTA-918774)

Okta Integration Network

Adroll by Aquera (SCIM) has a new description and display name.
Files.com by Aquera (SCIM) is now available. Learn more.
Global Relay Identity Sync has a new display name.
GoTo Meeting by Aquera (SCIM) is now available. Learn more.
GroWrk (SAML) is now available. Learn more.
Helpjuice by Aquera (SCIM) is now available. Learn more.
Island Management Console (SCIM) is now available. Learn more.
OK2Pay (SAML) is now available. Learn more.

2025.4.3: Update 3 started deployment on May 5

Fixes

On the Networks page, the Add Zone button was unexpectedly available when Admin Created was selected for some environments. (OKTA-850713)
When a user was created and added to an app through group assignment, and the app had provisioning enabled, no application.user_membership.add event was logged. (OKTA-868825)
When an admin performed a protected action, they weren't prompted for authentication if they had recently signed in to Okta. (OKTA-889142)
On the End-User Dashboard, the side navigation panel didn't always reappear after a user resized their screen. (OKTA-900098)
When the Unified look and feel for Okta Admin Console feature was enabled, the headings on the Downloads page were misaligned. (OKTA-904262)
When the Unified look and feel for Okta Admin Console feature was enabled, admins couldn't edit a page or email template in full-screen mode in Customizations > Brands. (OKTA-905316)
Duplicate AD/LDAP app instances could be registered for a single domain. (OKTA-911468)
When an admin edited role notifications for the Workflows Administrator role, they saw an unresponsive dialog. (OKTA-918276)
Users received a 400 Bad Request error during self-service registration in preview orgs with inline hooks. (OKTA-918774)
When an Okta Classic Engine org was involved in a multi-org Okta-to-Okta authentication flow, and Okta-to-Okta claims sharing was enabled, the OktaAuth (SAML) and okta_auth (OIDC) claims weren't processed correctly. (OKTA-918969)
Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)
Some admins with a custom role couldn't view client secrets for apps that they had permission to view. (OKTA-893511)
Admins sometimes received an error when they tried to change the sign in and sign out redirect URIs for OIDC app integrations. (OKTA-901862)
On the Admin Dashboard, the Tasks widget sometimes displayed incorrect provisioning tasks for the Okta ISV Portal App. (OKTA-902656)
Some colors and fonts were inconsistent across the Admin Console. (OKTA-904047)
When the Username attribute had no format restrictions applied to it, multiple identifiers could be associated with and gain access through the same account. (OKTA-910103)
Users were prompted for multifactor authentication twice when they signed in to a spoke org in an Okta Org2Org scenario even though the Trust claims from this identity provider option was selected for the hub org. (OKTA-912172)

Okta Integration Network

Applixure (OIDC) is now available. Learn more.
Degreed by Aquera (SCIM) is now available. Learn more.
LinearB (SAML) is now available. Learn more.
LinearB (SCIM) is now available. Learn more.
myComply (SAML) is now available. Learn more.
Othership Workplace Scheduler (SAML) is now available. Learn more.
Othership Workplace Scheduler (SCIM) is now available. Learn more.
Pandadoc by Aquera (SCIM) is now available. Learn more.
Saleo (SCIM) is now available. Learn more.
Splunk-On-Call by Aquera (SCIM) is now available. Learn more.

Version: 2025.03.0

March 2025

Generally Available

Sign-In Widget, version 7.28.3 and 7.29.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Update to Access Certification reports availability

The Past Campaign Details and Past Campaign Summary reports are now available for campaigns that govern admin roles even if you're not subscribed to Okta Identity Governance.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

Improved group search functionality

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name.

Improved user search functionality

You can now search for users whose names, email addresses, or usernames contain specified text, making it easier to do user lookups and add users to groups.

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

Realms for Workforce

Realms allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Manage realms.

Granular account linking for certain identity providers is GA

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add a SAML Identity Provider.

OIDC identity providers now support group sync

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to. See Generic OpenID Connect.

Entitlement management for Microsoft Office 365

The Microsoft Office 365 app now supports entitlement management. See Apps with entitlement support

Early Access

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New System Log event

The policy.evaluate_sign_on event has a new DebugData item: IdpVerifiedFactorMode. This new item indicates whether a user authenticated with one or two factors with their identity provider when they signed in through a service provider. See System Log.

Enhancement to a System Log event

The IdpVerifiedFactorMode item has been added to the policy.evaluate_sign_on event. It appears when claims sharing is enabled in the org and indicates whether the identity provider verified the user's authentication factors. See System Log.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Fixes

Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)
The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)
The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)
Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)
An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)
Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)
When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)
Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)
The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)
An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)
Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

Better Stack (SCIM) is now available. Learn more.
Employment Hero by Aquera (SCIM) is now available. Learn more.
Harriet (OIDC) is now available. Learn more.
Harriet (SCIM) is now available. Learn more.
HYCU R-Cloud (OIDC) is now available. Learn more.
Kyriba By Aquera (SCIM) is now available. Learn more.
MySQL by Aquera (SCIM) is now available. Learn more.
ZAMP (SCIM) is now available. Learn more.
Zoom (SAML) has updated endpoints.

Weekly Updates

2025.3.1: Update 1 started deployment on March 17

Generally Available

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)
Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)
Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)
In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)
Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)
The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)
Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)
Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)
The MFA enrollment by user report displayed inaccurate figures for the security question factor. (OKTA-858427)
Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)
When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)
Some users weren't able to sign in with Okta Mobile on iOS devices. (OKTA-892669)
Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

Better Stack (SAML) has a new integration guide.
Bundle by freee (SCIM) is now available. Learn more.
Chargebee (SAML) has a new integration guide.
Chargebee (SCIM) is now available. Learn more.
Lobbipad (SCIM) has updated help text.
Marfeel (OIDC) is now available. Learn more.
Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.3.2: Update 2 started deployment on March 24

Generally Available

Fixes

createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)
Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)
Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)
Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)
The MobilePhone target (the user phone number) wasn't present in the System Log when a telephony inline hook was used. (OKTA-849440)
The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)
AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)
When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)
In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)
Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

Attribute Dashboard (OIDC) is now available. Learn more.
Balsamiq (SAML) has a new app name, icon, and integration guide.
bob (SCIM, SAML) now supports sandbox environments.
Drata (OIDC) has a new icon.
Mighty ID (OIDC) is now available. Learn more.
Salesloft (SAML) is now available. Learn more.
Salesloft (SCIM) is now available. Learn more.

2025.3.3: Update 3 started deployment on March 31

Generally Available

Advanced search using conditioned profile attributes

If you have an admin role with permission conditions to access certain user profile attributes, you can now search for those users with those attributes. Note that the advanced search doesn't support the OR operator. See Permission conditions.

Fixes

The wrong data appeared in the debug data field of the policy.rule.update System Log event. (OKTA-846160)
Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)
Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)
Admins whose role had permission conditions couldn't search for users by first or last name. (OKTA-894392)
Some text was misaligned on the Password PolicyAdd rule page. (OKTA-897943)

Okta Integration Network

Akitra (OIDC) is now available. Learn more.
AppsFlyer By Aquera (SCIM) is now available. Learn more.
Braintree (SAML) is now available. Learn more.
Braintree (SCIM) is now available. Learn more.
ContentHubGPT (SAML) is now available. Learn more.
HRBrain (SAML) is now available. Learn more.
HRBrain (SCIM) is now available. Learn more.
Speeda Business Insights (OIDC) is now available. Learn more.
Speeda Startup Insights (OIDC) is now available. Learn more.