<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

Update Salesforce Provisioning Applications to Support PKCE

Okta Integration Network
Okta Classic Engine
Okta Identity Engine
All Engines

Overview

NOTE: This article applies only to customers who use the Okta Salesforce integration for User Provisioning via the REST API (OAuth) using Connected Apps. If you only use Okta for Salesforce Single Sign-On (SAML) and do not use Okta to provision or update user profiles, no action is required. If you are using a custom SCIM-based application for Salesforce provisioning, refer to our Salesforce Integration Guide to migrate to the Salesforce OIN application before July 10, 2026.

Okta is also updating the Workflows Salesforce Connector for production 2026.06.0 to reflect these changes. Flows that are run infrequently may experience an OAuth refresh error. If this happens, then please re-auth the connection..

 

The update is available in Preview environments as of June 9th, 2026, and Production environments as of June 11th, 2026. Customers can begin migrating their connections to ensure uninterrupted provisioning.


Okta strives to deliver the most secure integrations for our customers. To this end, Okta is introducing a stronger, more resilient way to manage Salesforce lifecycle provisioning by natively supporting the Proof Key for Code Exchange (PKCE) extension. This change aligns with Salesforce’s platform-wide mandate requiring all Independent Software Vendor (ISV) applications to enable PKCE for connected apps, effectively eliminating the risk of Authorization Code Interception attacks.

Applies To

  • Okta Salesforce integration for User Provisioning via the REST API (OAuth)
  • Workflow Salesforce Connector

Solution

Important Dates to Note:

    • Action Recommended: Okta has updated the Salesforce integration connector to fully support the PKCE handshake. Customers can begin migrating their connections to ensure a more secure framework.

    • Salesforce Enforcement Date (Extended to July 10, 2026): Salesforce will begin strictly enforcing the PKCE requirement across all commercial and government environments. After further investigation with Salesforce, we DO NOT expect the upcoming enforcement to disrupt customers’ existing REST API integrations. User creations, updates, and deactivations from Okta should continue running as expected.

     

    To follow best security practices, Okta strongly recommends customers leverage the updated integration and updating the Salesforce Connected App settings. Okta has updated the Salesforce integration connector to fully support the PKCE handshake as of June 9 in Preview and June 11 in Production.



Prerequisites

  • An active Salesforce app integration in Okta that uses the REST API for User Provisioning.
  • An App Administrator or Super Administrator role in Okta to modify the application's provisioning settings.
  • A Salesforce System Administrator credential to update the Connected App settings within your Salesforce org.

 

Update Salesforce Provisioning to Support PKCE

This migration requires actions in both your Salesforce environment and your Okta Admin Console.

 

Step 1: Update the Connected App in Salesforce

  1. Log in to your Salesforce environment as a System Administrator.
  2. Navigate to Setup (the gear icon in the top right).
  3. In the Quick Find box, type App Manager and select it.
  4. Locate the Connected App you created for Okta provisioning. Click the drop-down arrow next to it and select Edit.
  5. Under the API (Enable OAuth Settings) section, locate and check the box for Require Proof Key for Code Exchange (PKCE) Extension.
  6. Click Save.

 

Step 2: Re-authenticate the Integration in Okta

  1. In the Okta Admin Console, go to Applications > Applications.
  2. Select your Salesforce application.
  3. Click the Provisioning tab, and then select Integration from the left-hand Settings menu.
  4. Click Edit.
  5. Select the PKCE Enabled checkbox. 
  6. Click the Re-authenticate with Salesforce.com button.
  7. A new Salesforce window will open. Enter your Salesforce System Administrator credentials and click Allow to provide consent for the new PKCE-compliant OAuth flow.
  8. Return to the Okta Admin Console and click Save.

 

Loading
Okta Support - Update Salesforce Provisioning Applications to Support PKCE