Okta Classic Engine release notes (Production)

February
January
December

Version: 2026.02.0

February 2026

Generally Available

Okta Mobile End of Life

The Okta Mobile app will transition to End of Life (EOL) status on May 31, 2026.

After this deprecation date, Okta Mobile will not receive any further security updates, bug fixes, or support. The app will no longer be available for download through the Apple App Store or the Google Play Store.

Okta previously announced the End of Support for Okta Mobile, effective November 1, 2025.

See Okta Mobile End of Life for available migration solutions.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

The Generic Database Connector now supports Base64 encoded path parameters.
Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26

This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport

Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Early Access

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Fixes

When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)
Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)
When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)
The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

Okta Integration Network

Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.
HashiCorp Vault (OIDC) is now available. Learn more.
Instagram (SWA) was updated.
Mailchimp (SWA) was updated.
Solarwinds Customer Portal (SWA) was updated.
Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Version: 2026.01.0

January 2026

Generally Available

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

OAuth 2.0 scopes automatically assigned to API integrations

Now when you add an API integration to your org, Okta automatically assigns the required OAuth 2.0 scopes to the app.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

The View Setup Instructions button has been relocated to optimize the visual layout.
A new display option has been added to visualize parent and child domain relationships.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Early Access

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Fixes

The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)
In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)
Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)
In some orgs, resource access policy rules didn't take effect immediately after being updated. (OKTA-1071402)
Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)
When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)
JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)
In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)
Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)
In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

Dokio (SCIM) is now available. Learn more.
Kuranosuke (SAML) is now available. Learn more.
LINE WORKS (SCIM) is now available. Learn more.
SciLeads Portal (OIDC) is now available. Learn more.
SciLeads Portal (SCIM) is now available. Learn more.
ShareCal (SCIM) is now available. Learn more.
ShareCal (SAML) was updated with a new logo.
Humana Military (SWA) was updated.
Xint (OIDC) added new IDP flow.
cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.
Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)
When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)
When an admin updated the agent pool, an error occurred if the agentType was missing. (OKTA-1071106)
When an admin reactivated a user through an Active Directory import, the System Log didn't record the event. (OKTA-1071233)
When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)
For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI. (OKTA-1096668)

Okta Integration Network

Seismic (SCIM) is now available. Learn more .
OX Security (OIDC) is now available. Learn more .
Skedda (SCIM) is now available. Learn more .
Jotform (SCIM) is now available. Learn more .
Planhat (SCIM) is now available. Learn more .
Safety AZ (OIDC) is now available. Learn more .
Exabeam (SAML) is now available. Learn more .
101domain (OIDC) is now available. Learn more .
OX Security (OIDC) now supports Universal Logout.
Skedda (SAML) has a new description, icon, and configuration guide.
Obsidian Security (SAML) has a new configuration guide, attribute, and app description.
Planhat (SAML) has a new integration guide.
Exaforce (API Service) now has the okta.idps.read scope.
Seismic (SAML) has a new logo, app description, and configuration guide.
BridgeBank Business eBanking (SWA) was updated.
Humana Military (SWA) was updated.
Jotform (SAML) was updated.
Scalefusion OneIdP (SCIM) was updated.

2026.01.2: Update 2 started deployment on February 2

Generally Available

Fixes

Arbitrary headers could be added to SCIM requests during the On-Premises Provisioning agent integration. (OKTA-1000055)

ONLY DOC AFTER ALL PROD CELLS DEPLOY. REMOVE DNP FOR 2026.02.0
When users authenticated using a third-party IdP, the AMR claims for MFA weren't included in the token. (OKTA-1020028)
When creating a group rule, after entering ten groups, admins needed to enter complete or nearly-complete group names to add more groups to the rule, rather than being able to enter a partial name and select from a list. (OKTA-1067501)
When admins created a user and chose a realm to assign, the realm wasn't assigned and an error occurred upon save. (OKTA-1091903)
Admins couldn't revert the default network zone's name back to LegacyIpZone after they'd modified it. (OKTA-1045470)
Active Directory imports failed with a ProcessMembershipsAndDeletedObjectsJob: null error. (OKTA-1098885)

Okta Integration Network

SparrowDesk (SAML) is now available. Learn more.
Eon.io (SAML) is now available. Learn more.
NoClick (SAML) is now available. Learn more.
Druva Data Security Cloud (API) is now available. Learn more.
SimCorp Dimension (SAML) is now available. Learn more.
Falcon Shield (API Service Integration) has a new scope. Learn more.
Rubrik Security Cloud (API Service Integration) has a new integration guide. Learn more.
SimCorp Dimension (SCIM) has a new SCIM configuration guide URL and a new app description.
AWS IAM Identity Center (SAML) has multiple ACS URLs support.
ShareCal (SAML) has an updated App Instance Property & Configuration Guide link.
ClickUp (SAML) has a new configuration guide and app description.
ClickUp (SAML) was updated.
CardinalOps (SAML) was updated.
OrbiPay Payments (SWA) was updated.

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

The maxItemsPerPage is now configurable to meet your specific requirements.
Memory optimizations and other minor improvements.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Support for Microsoft 365 GCC environment

Okta now supports the Microsoft Office 365 Government Community Cloud (GCC) environment. You can now use the Microsoft Office 365 app to configure Single Sign-On and provisioning for GCC tenants.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

Enhanced provisioning support for Office 365 Entitlement Management

When Entitlement Management is enabled for the Office 365 app, you can now use all four provisioning options: licenses/role management, profile sync, user sync, and universal sync.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Fixes

Imports sometimes failed during the user match stage. This happened because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)
Group push sometimes failed during deployments. (OKTA-941489)
The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)
When admins created a linked group, no description was displayed. (OKTA-996729)
When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)
A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)
The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)
Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)
When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)
Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)
DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)
The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)
There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

Svix (OIDC) is now available. Learn more.
OpenPolicy (SCIM) is now available. Learn more.
Coalition Control has a new integration guide.
Practising Law Institute (SWA) was updated. (OKTA-1063963)
Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.
Svix now supports Universal Logout.
Harmony SASE (SCIM) has been updated with new regions.

Weekly Updates

2025.12.1: Update 1 started deployment on January 5

Generally Available

Event hooks for app provisioning and imported changes events

You can now use event hooks for the Okta events that provision app users and import changes from apps. The following events are now event hook eligible:

application.provision.user.push_profile
application.provision.user.push
application.provision.user.reactivate
application.provision.user.import_profile
app.user_management.user_group_import.upsert_success

See Event Types.

Fixes

Imports sometimes failed during the user match stage because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)
Attempts to build the Okta Provisioning Connector SDK (version 02.04.00) example server failed with a dependency resolution error. (OKTA-1021402)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
In some orgs, after assigning a group to an app, any users in the group that failed to be activated in the downstream app weren't able to access the app from their End-User Dashboard, and the task to retry the activation was inadvertently hidden. (OKTA-1060837)
When security.request.blocked events were triggered by IP zones, the client.zone field wasn't populated in the System Log. (OKTA-1060987)
Recent UI changes prevented some admins from accessing the Account page. (OKTA-1062156)
The Add a domain to Office 365 link in the Office 365 manual federation instructions pointed to an invalid URL. (OKTA-1068862)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)
The PagerDuty app integration didn't use the correct Universal Logout endpoint. (OKTA-1070647)
Some UI elements in the Encryption keys section of the authorization server Settings tab didn't render correctly. (OKTA-1075244)