Okta Classic Engine release notes (Preview)

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

  • The maxItemsPerPage is now configurable to meet your specific requirements.
  • Memory optimizations and other minor improvements.

Provisioning for Netskope Admin Console

Provisioning is now available for the Netskope Admin Console app integration. When you provision the app, you can enable security features like Entitlement Management. See Netskope Admin Console.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Seamless Admin Console navigation

When navigating to the Admin Console from the App Switcher, Admin button, or a direct URL, your active session is now reused. This reduces redundant MFA prompts and improves the navigation experience.

Updates to first-party App Switcher

Previously, you had to be an Okta admin to use the Okta first-party App Switcher. Now, non-admin users can use the App Switcher to seamlessly navigate between Okta first-party apps like ISPM, Workflows, or the Partner Admin Portal.

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

More granular maximum clock skew options for LDAP incremental imports

More granular maximum clock skew intervals for LDAP incremental imports have been added to allow for better tuning and improved performance. You can now configure the clock skew to 1, 2, 5, or 10 minutes. This granularity helps you improve import speed by using a clock skew value closer to the actual maximum clock drive of your LDAP server. It also prevents missed updates when the server's clock temporarily moves backward, which ensures data accuracy.

Escalate tasks

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

This feature is generally available in Preview environments and is an Early Access release for Production environments.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

New Admin Console search logic

The spotlight search now uses "contains" logic, returning matches from any part of a search instead of only the beginning. This helps admins find results quicker and more easily. See Admin Console search.

Workday now supports Entitlement Management

Entitlement Management with Workday enables support for governing Workday User-based Security Groups. With provisioning and Entitlement Management enabled, Okta can govern, certify, and assign Workday User-based Security Groups. Through imports, Okta discovers User-based Security Groups from Workday and current assignments for users. All entitlement capabilities such as policies, SOD rules, bundles, and time-bound requests are then supported for Workday User-based Security Groups. See Entitlement Management.

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can source entities such as users into Okta's Universal Directory by connecting a custom HR app or a custom database.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships in Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Fixes

  • Imports sometimes failed during the user match stage. This happened because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)

  • Group push sometimes failed during deployments. (OKTA-941489)

  • The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)

  • When admins created a linked group, no description was displayed. (OKTA-996729)

  • When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)

  • A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)

  • The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)

  • Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)

  • When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)

  • Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)

  • Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)

  • DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)

  • The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)

  • There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)

  • Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

  • Svix (OIDC) is now available. Learn more.

  • OpenPolicy (SCIM) is now available. Learn more.

  • Coalition Control has a new integration guide.

  • Practising Law Institute (SWA) was updated. (OKTA-1063963)

  • Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.

  • Svix now supports Universal Logout.

  • Harmony SASE (SCIM) has been updated with new regions.

Preview Features

Updates to first-party App Switcher

Previously, you had to be an Okta admin to use the Okta first-party App Switcher. Now, non-admin users can use the App Switcher to seamlessly navigate between Okta first-party apps like ISPM, Workflows, or the Partner Admin Portal.

Lightweight Directory Access Protocol Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

More granular maximum clock skew options for LDAP incremental imports

More granular maximum clock skew intervals for LDAP incremental imports have been added to allow for better tuning and improved performance. You can now configure the clock skew to 1, 2, 5, or 10 minutes. This granularity helps you improve import speed by using a clock skew value closer to the actual maximum clock drive of your LDAP server. It also prevents missed updates when the server's clock temporarily moves backward, which ensures data accuracy.

Anything-as-a-Source for groups and group memberships

Anything-as-a-Source (XaaS) capabilities allow customers to use a custom identity source with Okta. With XaaS, customers can source entities such as users into Okta's Universal Directory by connecting a custom HR app or a custom database.

This release offers XaaS capabilities with groups and group memberships, allowing customers to start sourcing groups with XaaS. Okta now enables creating and updating users, creating and updating groups, and managing group memberships in Okta's Universal Directory from any identity source using XaaS APIs. See Anything-as-a-Source.

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

You can now filter the People page by user type. See Universal Directory custom user types known issues.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

You can now filter the People page by user type. See Universal Directory custom user types known issues.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.