okta · vanngo-okta · Jun 10, 2026 · Jun 11, 2026 · Jun 11, 2026 · Jun 12, 2026
@@ -6,7 +6,7 @@ meta:
 layout: Guides
 ---
 
-Learn how to submit an integration with SSO, Universal Logout, provisioning, entitlement management, or API service capabilities to the Okta Integration Network (OIN) using the OIN Wizard.
+Learn how to submit an integration with SSO, Universal Logout, provisioning, Entitlement Management, or API service capabilities to the Okta Integration Network (OIN) using the OIN Wizard.
 
 ---
 
@@ -228,7 +228,7 @@ The **Application instances for testing** section displays, by default, the inst
 
 An instance is eligible if it was generated from the latest version of the integration submission in the OIN Wizard. An instance is ineligible if it was generated from a previous version of the integration submission and you later made edits to the submission. This is to ensure that you test your integration based on the latest submission details.
 
-If you modify a published OIN integration, you must generate an instance based on the currently published integration for backward compatibility testing. A backward-compatible instance is eligible if it was generated from the published version of the integration before any edits are made in the current submission. The OIN Wizard detects if you're modifying a published OIN integration and asks you to generate a backward-compatible instance before you make any edits.
+If you modify a published OIN integration, you must generate an instance based on the currently published integration for backwards compatibility testing. A backward-compatible instance is eligible if it was generated from the published version of the integration before any edits are made in the current submission. The OIN Wizard detects if you're modifying a published OIN integration and asks you to generate a backward-compatible instance before you make any edits.
 
 > **Note:** The Integrator Free Plan org has no limit on active instances. You can create as many test instances as needed for your integration. To deactivate any instances you no longer need, see [Deactivate an app instance in your org](#deactivate-an-app-instance-in-your-org).
 

@@ -1,2 +1,5 @@
    * For an SSO integration, test the required flows in the [OIN Submission Tester](#oin-submission-tester) with your generated test instance. Fix any test failures from the OIN Submission Tester, then regenerate the test instance (if necessary) and retest.
-   * For a Universal Logout integration, test the logout flow manually. See [Test your Universal Logout integration](#test-your-universal-logout-integration).
+
+   * For a Universal Logout integration, test the logout flow manually. See [Test your Universal Logout integration](#test-your-universal-logout-integration).
+
+  * In addition to testing your provisioning flows in the Integration Builder, Okta also provides a test plan for you to functionally test your provisioning flow through the Admin Console and End-User Dashboard. See [Test API integration action provisioning](#test-api-integration-action-provisioning).
@@ -4,9 +4,9 @@
 > * This section appears only if you select **Universal Logout** with API Integration Actions.
 > * Universal Logout is only supported with SSO integrations.
 > * If you want instructions for SSO integrations, select **OpenID Connect** or **SAML 2.0** from the **Instructions for** dropdown list on the right.
-> * For integrations that include API Integration Actions, always access the OIN Wizard through the **Application** > **Your OIN Integrations** path in the Admin Console.
+> * For integrations that include API actions, always access the OIN Wizard through the **Application** > **Your OIN Integrations** path in the Admin Console.
 
-1. Specify the following properties for Universal Logout with API Integration Actions:
+1. Specify the following properties for Universal Logout:
 
     | <div style="width:150px">Property</div> | Description  |
     | ----------------- | ------------ |

@@ -6,23 +6,23 @@ meta:
 layout: Guides
 ---
 
-Learn how to submit an OIDC, SAML 2.0, SCIM 2.0, Universal Logout, or API service integration to the Okta Integration Network (OIN) using the OIN Wizard.
+Learn how to update an existing integration with SSO, Universal Logout, provisioning, Entitlement Management, or API service capabilities in the Okta Integration Network (OIN) using the OIN Wizard.
 
 ---
 
 #### What you need
 
-* A published OIDC, SAML 2.0, SCIM, or API service integration in the OIN.
+* A published OIDC, SAML 2.0, SCIM, API Integration Action, or API service integration in the OIN.
 * The [Okta Integrator Free Plan org](https://developer.okta.com/signup/) from where you originally submitted your published integration. The OIN Wizard is only available in Integrator Free Plan orgs.
 * An admin user in the Integrator Free Plan org with either the super admin or the app and org admin roles.
 
 ---
 
 ## Overview
 
-If you have a published Single Sign-On (SSO), lifecycle management, or API service integration in the [OIN catalog](https://www.okta.com/integrations/), you can update and resubmit it with the OIN Wizard.
+If you have a published Single Sign-On (SSO), lifecycle management, provisioning, Entitlement Management, or API service integration in the [OIN catalog](https://www.okta.com/integrations/), you can update and resubmit it with the OIN Wizard.
 
-The OIN Wizard currently supports updates for integrations that use the following protocols:
+The OIN Wizard currently supports updates for integrations that use the following protocols or tools:
 
 * [OpenID Connect (OIDC)](https://openid.net/connect/)
 
@@ -36,38 +36,28 @@ The OIN Wizard currently supports updates for integrations that use the followin
 
 * [API service integration](/docs/guides/oin-api-service-overview/)
 
+* [API Integration Actions](/docs/guides/oin-api-actions/)
+
 > **Note:** You can use the [OIN Wizard](/docs/guides/update-oin-app/) to update OIDC, SAML 2.0, SCIM 2.0, and API service integrations that were originally submitted through the [OIN Manager](/docs/guides/submit-app/).
 
-When you edit a published OIN integration, you need to test the flows for the updated version and the published version for backwards compatibility. The integration version that was previously installed in your customer's org isn't modified with the updated version from the OIN catalog. Testing the published version for backwards compatibility ensures that your integration still works for customers who have already installed it. See [Update integration considerations](#update-integration-considerations) before you edit your published integration.
+When you edit a published OIN integration, you need to test the flows for the updated version and the published version for backwards compatibility. The integration version that was previously installed in your customer's org won't contain new settings from the updated version. Testing the published version for backwards compatibility ensures that your integration still works for customers who have already installed it. See [Update integration considerations](#update-integration-considerations) before you edit your published integration.
 
 After you successfully test the updated and published versions of your integration, resubmit your integration to the OIN team. Your integration goes through a [submission review process](/docs/guides/submit-app-overview/#understand-the-submission-review-process) before the updated version is published in the OIN catalog.
 
 ## Update integration considerations
 
-For published integrations that were migrated from the OIN Manager, if you need to update configured properties that aren't available in the OIN Wizard, contact <oin@okta.com>.
-
 > **Note:** Some considerations on this page are specifically for the **<StackSnippet snippet="protocol-name" inline/>** . <br>
 > If you want to change the instructions that you see on this page, select a different option from the **Instructions for** dropdown list.
 
-<StackSnippet snippet="considerations" />
-
-* When you update an integration that's already published, be mindful to preserve backwards compatibility for your integration. Older instances of your integration could be in use by Okta customers.
-
-    * If you modify the **Name** (`name`) property of your [tenant settings](/docs/guides/submit-oin-app/openidconnect/main/#tenant-settings), Okta removes the original variable and creates a variable with your updated name. This action negatively impacts your existing customers if you use the original variable in your integration dynamic properties.
+When you update an integration that's already published, be mindful to preserve backwards compatibility for customer that have installed your integration before your latest update.
 
-    * Migrated published integrations from the OIN Manager don't have some OIN Wizard restrictions. For instance:
+* If you modify the **Name** (`name`) property of your [tenant settings](/docs/guides/submit-oin-app/openidconnect/main/#tenant-settings), Okta removes the original variable and creates a variable with your updated name. This action negatively impacts your existing customers if you use the original variable in your integration dynamic properties.
 
-        * Published integrations can have more than three integration variables
-        * Published integrations can have variable names with uppercase letters
-        * Published integrations can use `http` (instead of enforced `https`) in URLs and Expression Language-supported properties
+* If your update introduces new variables and you're using dynamic URLs, ensure that your tests cover various scenarios with different possible values for those variables. The newly introduced variables aren't populated for older instances of your integration.
 
-    * If your update introduces new variables and you're using dynamic URLs, ensure that your tests cover various scenarios with different possible values for those variables. The newly introduced variables aren't populated for older instances of your integration.
+    <StackSnippet snippet="backward-compatible-eg" />
 
-        For example:
-
-       <StackSnippet snippet="backward-compatible-eg" />
-
-    * Entitlement Management is only supported for SCIM-based provisioning.
+<StackSnippet snippet="considerations" />
 
 ## Update your integration
 
@@ -91,8 +81,8 @@ To update a previously published OIN integration:
     <StackSnippet snippet="detect-old-instance" />
 
 1. Click **Add integration details**. The **OIN catalog properties** page appears.
-1. Update [OIN catalog properties](/docs/guides/submit-oin-app/openidconnect/main/#oin-catalog-properties) as required for your integration.
-1. Click **Configure your integration** to proceed to update your integration as required in the following sections of the OIN Wizard:
+
+1. Proceed to update your integration as required in the following sections of the OIN Wizard:
 
    <StackSnippet snippet="edit-links" />
 
@@ -107,7 +97,7 @@ The OIN Wizard journey includes the **Test integration** experience page to help
 
 See [Submit your updated integration](#submit-your-updates) after all required tests are successful.
 
-> **Note:** Test steps on this page are specifically for the **<StackSnippet snippet="protocol-name" inline/>** . <br>
+> **Note:** Test steps on this page are specifically for the **<StackSnippet snippet="protocol-name" inline/>**. <br>
 > If you want to change the instructions that you see on this page, select a different option from the **Instructions for** dropdown list.
 
 ### Generate instances for testing

@@ -1,3 +1,5 @@
+   For example:
+
    Your integration update introduced a new variable (`companyId`), and you use it in your updated redirect URL. The redirect URL changed from `https://login.myapp.io` to `https://login.myapp.io?connection={app.companyId}`. In this case, ensure that the dynamic redirect URL is also valid for existing instances where the `companyId` value isn't set.
 
    To handle empty `companyId` values, you can define the redirect URL as follows:

@@ -0,0 +1,11 @@
+* You can add Entitlement Management capabilities only if your integration also supports provisioning.
+
+* The API service capability is mutually exclusive of other capabilities in a submission. If you selected the SSO capability, you can't select the API service capability.
+
+* For migrated integrations from the OIN Manager, if you need to update configured properties that aren't available in the OIN Wizard, contact <oin@okta.com>.
+
+* Migrated published integrations from the OIN Manager don't have some OIN Wizard restrictions. For instance:
+
+    * Published integrations can have more than three integration variables
+    * Published integrations can have variable names with uppercase letters
+    * Published integrations can use `http` (instead of enforced `https`) in URLs and Expression Language-supported properties
@@ -2,4 +2,4 @@
 
   1. Click **Generate instance** to create an app instance based on your published OIN integration. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backward-compatibility testing.
 
-* If the OIN Wizard detects an instance based on your published integration, the **Application instance not detected** dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backward compatibility testing.
+* If the OIN Wizard detects an instance based on your published integration, the **Application instance not detected** dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backwards compatibility testing.
@@ -1,6 +1,6 @@
+* [OIN catalog properties](/docs/guides/submit-oin-app/openidconnect/main/#oin-catalog-properties)
 * [Tenant settings](/docs/guides/submit-oin-app/openidconnect/main/#tenant-settings)
-   > **Note:** See [Update integration considerations](#update-integration-considerations) for backwards compatibility with integration variables.
+   > **Note:** See [Update integration considerations](#update-integration-considerations) for backwards compatibility with updated tenant settings.
 * [OIDC properties](/docs/guides/submit-oin-app/openidconnect/main/#properties)
-   > **Note:** The API service capability is mutually exclusive of other capabilities in a submission. If you select the API service capability, you can't select any other capability, such as SSO or provisioning. Similarly, if you select another capability, the API service option is unavailable.
 * [Universal Logout properties](/docs/guides/submit-oin-app/openidconnect/main/#universal-logout-properties)
 * [Enter test information](/docs/guides/submit-oin-app/openidconnect/main/#enter-test-information)
@@ -8,4 +8,4 @@ The **Required app instances** section shows you the instances detected in your
 > **Notes:**
 > * Generate separate instances for testing if you support two SSO protocols (one for OIDC and one for SAML). The OIN Submission Tester can only test one protocol per instance.
 > * For Universal Logout integration, you can use the same instance that you created for SSO protocol testing.
-> * You should already have an instance of your published integration for backward compatibility testing. If you don't have a published-version instance, exit the OIN Wizard and create the OIN-published instance. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backward compatibility testing.
+> * You should already have an instance of your published integration for backwards compatibility testing. If you don't have a published-version instance, exit the OIN Wizard and create the OIN-published instance. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backwards compatibility testing.
@@ -1,3 +1,5 @@
+   For example:
+
    Your integration update introduced a new variable (`companyId`), and you use it in your updated ACS URL. The ACS URL changed from `https://login.myapp.io` to `https://login.myapp.io?connection=${org.companyId}`. In this case, ensure that the dynamic ACS URL is also valid for existing instances where the `companyId` value isn't set.
 
    To handle empty `companyId` values, you can define the ACS URL as:

@@ -0,0 +1,11 @@
+* You can add Entitlement Management capabilities only if your integration also supports provisioning.
+
+* The API service capability is mutually exclusive of other capabilities in a submission. If you selected the SSO capability, you can't select the API service capability.
+
+* For migrated integrations from the OIN Manager, if you need to update configured properties that aren't available in the OIN Wizard, contact <oin@okta.com>.
+
+* Migrated published integrations from the OIN Manager don't have some OIN Wizard restrictions. For instance:
+
+    * Published integrations can have more than three integration variables
+    * Published integrations can have variable names with uppercase letters
+    * Published integrations can use `http` (instead of enforced `https`) in URLs and Expression Language-supported properties
@@ -1,5 +1,5 @@
 * For SSO integrations, if the OIN Wizard doesn't detect an instance to test your published integration, an **Application instance not detected** dialog appears.
 
-  1. Click **Generate instance** to create an app instance based on your published OIN integration. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backward compatibility testing.
+  1. Click **Generate instance** to create an app instance based on your published OIN integration. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backwards compatibility testing.
 
-* If the OIN Wizard detects an instance based on your published integration, the **Application instance not detected** dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backward compatibility testing.
+* If the OIN Wizard detects an instance based on your published integration, the **Application instance not detected** dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backwards compatibility testing.
@@ -1,6 +1,6 @@
+* [OIN catalog properties](/docs/guides/submit-oin-app/saml2/main/#oin-catalog-properties)
 * [Tenant settings](/docs/guides/submit-oin-app/saml2/main/#tenant-settings)
-   > **Note:** See [Update integration considerations](#update-integration-considerations) for backward compatibility with integration variables.
+   > **Note:** See [Update integration considerations](#update-integration-considerations) for backwards compatibility with updated tenant settings.
 * [SAML 2.0 properties](/docs/guides/submit-oin-app/saml2/main/#properties)
-   > **Note:** The API service capability is mutually exclusive of other capabilities in a submission. If you select the API service capability, you can't select any other capability, such as SSO or provisioning. Similarly, if you select another capability, the API service option is unavailable.
 * [Universal Logout properties](/docs/guides/submit-oin-app/openidconnect/main/#universal-logout-properties)
-* [Test information](/docs/guides/submit-oin-app/saml2/main/#enter-test-information)
+* [Enter test information](/docs/guides/submit-oin-app/saml2/main/#enter-test-information)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		1. Click Generate instance to create an app instance based on your published OIN integration. See [Add existing app integrations](https://help.okta.com/okta_help.htm?type=oie&id=csh-apps-add-app) to create an OIN-published instance for backward-compatibility testing.

		* If the OIN Wizard detects an instance based on your published integration, the Application instance not detected dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backward compatibility testing.
		* If the OIN Wizard detects an instance based on your published integration, the Application instance not detected dialog doesn't appear. This is usually the case if you tested and submitted your published integration from the same org. You can use that existing published-version instance for backwards compatibility testing.