Okta Classic Engine release notes (Production)

Generally Available

Version: 2026.05.0

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage
Add access request condition descriptions
You can now add descriptions to access request conditions for apps, collections, and Okta admin role bundles. These descriptions appear alongside the condition's name on the Access Requests tab, making it easier for you to understand the specific purpose of each condition. See Create access request conditions.
System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Early Access

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

  • Manual remediation was required when reviewers revoked a user’s access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Conduit Security (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • Matik (SCIM) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Yunu (OIDC) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • Matik (Basic Auth) was updated.

  • Metlife MyBenefits (SWA) was updated.

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

2026.05.1: Update 1 started deployment on May 18

Fixes

  • When a refresh token failure or revocation event was logged in the System Log, an incomplete version of the refresh token hash appeared in the event's target.detailEntry. (OKTA-1145851)

  • The List all profile mappings API sometimes returned an error if the request didn't include the sourceId or targetID parameters. (OKTA-1153229)

  • In the Admin Console, status site links for some cells pointed to an incorrect status page. (OKTA-1158204)

  • The Manage Event Hooks permission didn't allow an admin or service app to create an event hook. (OKTA-1162004)

  • The debugContext.isSelfInitiated field was missing from System Log entries for user.account.update_password events. (OKTA-1166403)

  • When an authentication error occurred, the Sign-In Widget displayed an SQL error message instead of a helpful one. (OKTA-1168939)

  • When an admin viewed the Preview pane for Custom Admin Roles, some labels for identity permissions were displayed incorrectly. (OKTA-1168945)

Okta Integration Network

  • Butterfly Security (OIDC) is now available. Learn more.

  • Butterfly Security (SCIM) is now available. Learn more.

  • Cimento AI (SAML) is now available. Learn more.

  • Cimento AI (SCIM) is now available. Learn more.

  • Redblock AI (SAML) is now available. Learn more.

  • Scribble Maps (OIDC) is now available. Learn more.

  • Scribble Maps (SAML) is now available. Learn more.

  • Scribble Maps (SCIM) is now available. Learn more.

  • Stripe (SCIM) is now available. Learn more.

  • Common Room (SCIM) now supports Group Push.

  • Rubrik Security Cloud now supports the following scopes:

    • okta.authorizationServers.manage
    • okta.authorizationServers.read
    • okta.idps.manage
    • okta.idps.read
    • okta.networkZones.manage
    • okta.networkZones.read

  • Wrike (SCIM) now supports Group Push.

  • Check Point SASE (SCIM) has been updated with new regions.

  • Dokio (SCIM) has a new API and configuration guide.

  • Harmony SASE (SAML) has a new icon, display name, and description. Learn more.

  • Stripe has a new configuration guide. Learn more.

  • Augment Code (OIDC) was updated.

2026.05.2: Update 2 started deployment on May 26

Fixes

  • Read-only admins could refresh app groups for apps that support Group Push. (OKTA-1114983)

  • The System Log displayed duplicate Push user deactivation to external application events for SAML apps with SCIM provisioning. (OKTA-1124966)

  • Some deactivated users retained the Deactivating status and couldn't be modified in the Admin Console or through the API. (OKTA-1138239)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

  • When group rule evaluations failed, the System Log displayed exception messages and SQL queries. (OKTA-1177889)

Okta Integration Network

  • Butterfly Security (API Service) is now available. Learn more.

  • Gatekeeper (SCIM) is now available. Learn more.

  • Icite (API Service) now has the okta.roles.read scope.