Update Salesforce Provisioning Applications to Support PKCE

NOTE: This article applies only to customers who use the Okta Salesforce integration for User Provisioning via the REST API (OAuth) using Connected Apps. If you only use Okta for Salesforce Single Sign-On (SAML) and do not use Okta to provision or update user profiles, no action is required. 

Okta is also updating the Workflows Salesforce Connector for production 2026.06.0 to reflect these changes. Flows that are run infrequently may experience an OAuth refresh error. If this happens, then please re-auth the connection..

The update is available in Preview environments as of June 9th, 2026, and Production environments as of June 11th, 2026. Customers can begin migrating their connections to ensure uninterrupted provisioning.

Okta strives to deliver the most secure integrations for our customers. To this end, Okta is introducing a stronger, more resilient way to manage Salesforce lifecycle provisioning by natively supporting the Proof Key for Code Exchange (PKCE) extension. This change aligns with Salesforce’s platform-wide mandate requiring all Independent Software Vendor (ISV) applications to enable PKCE for connected apps, effectively eliminating the risk of Authorization Code Interception attacks.

• Okta Salesforce integration for User Provisioning via the REST API (OAuth)
• Workflow Salesforce Connector

Important Dates to Note:

• • Action Required: Okta has updated the Salesforce integration connector to fully support the PKCE handshake. Customers can begin migrating their connections to ensure uninterrupted provisioning. 

  • Salesforce Enforcement Date (Extended to June 25, 2026): Salesforce will begin strictly enforcing the PKCE requirement across all commercial and government environments. If you do not act by this date, your REST API provisioning integration will fail, halting all user creation, updates, and deactivations from Okta to Salesforce.

   

  To take advantage of this upgraded integration and prevent service disruption, customers who use the REST API for Salesforce User Provisioning must follow the required actions outlined below to migrate their applications. For the Workflows Salesforce Connector, flows that are run infrequently may experience an OAuth refresh error. If this happens, then please re-auth the connection.. 

  
  
  

Prerequisites

• An active Salesforce app integration in Okta that uses the REST API for User Provisioning.
• An App Administrator or Super Administrator role in Okta to modify the application's provisioning settings.
• A Salesforce System Administrator credential to update the Connected App settings within your Salesforce org.

Update Salesforce Provisioning to Support PKCE

This migration requires actions in both your Salesforce environment and your Okta Admin Console.

Step 1: Update the Connected App in Salesforce

1. Log in to your Salesforce environment as a System Administrator.
2. Navigate to Setup (the gear icon in the top right).
3. In the Quick Find box, type App Manager and select it.
4. Locate the Connected App you created for Okta provisioning. Click the drop-down arrow next to it and select Edit.
5. Under the API (Enable OAuth Settings) section, locate and check the box for Require Proof Key for Code Exchange (PKCE) Extension.
6. Click Save.

Step 2: Re-authenticate the Integration in Okta

1. In the Okta Admin Console, go to Applications > Applications.
2. Select your Salesforce application.
3. Click the Provisioning tab, and then select Integration from the left-hand Settings menu.
4. Click Edit.
5. Select the PKCE Enabled checkbox. 
6. Click the Re-authenticate with Salesforce.com button.
7. A new Salesforce window will open. Enter your Salesforce System Administrator credentials and click Allow to provide consent for the new PKCE-compliant OAuth flow.
8. Return to the Okta Admin Console and click Save.