Okta Classic Engine release notes (Production)
Help us improve our release notes by filling out this short survey.
Current release status
Current | Upcoming | |
---|---|---|
Production | 2023.11.0 | 2023.11.1 Production release is scheduled to begin deployment on December 4 |
Preview | 2023.11.1 | 2023.12.0 Preview release is scheduled to begin deployment on December 6 |
November 2023
2023.11.0: Monthly Production release began deployment on November 13
* Features may not be available in all Okta Product SKUs.
Generally Available Features
Sign-In Widget, version 7.12.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Redesigned admin role pages
The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.
Okta LDAP Agent automatic update support
Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.
Lockout Prevention
This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they’ve used before aren’t locked out when unknown devices cause lockouts.
FIPS compliance for iOS or Android devices
Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.
Self-Service Okta Identity Engine Upgrades for all orgs
The self-service upgrade widget now appears on the Admin Dashboard for all Classic Engine orgs. The widget allows super admins to schedule their upgrade to Identity Engine. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine.
Custom email domain updates
The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.
Improved LDAP provisioning settings error message
During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.
Additional data to support debugging user authentication
When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.
Modified System Log event for Autonomous System Number (ASN) changes
When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.
OIN Manager notice
The integration estimated-verification-time notice has been updated in the OIN Manager.
Early Access Features
Granular permissions to manage directories
This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.
New app settings permissions for custom admin roles
Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.
-
OKTA-538785
Sometimes users encountered an error when the Self-Service Registration flow made a request to the /tokens endpoint.
-
OKTA-566962
Some text strings on the Okta Sign-on Policy page weren't translated.
-
OKTA-633313
A user with a custom admin role couldn't create federated users due to misplaced permissions.
-
OKTA-633789
When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.
-
OKTA-649095
Some AD-sourced users received prompts to reset their password even when the AD password policy restricted password changes.
-
OKTA-649810
The Add Resource dialog box sometimes displayed duplicate group names.
-
OKTA-653756
When many apps were added to routing rules through the API, system performance was degraded.
-
OKTA-653873
In some orgs, on-premises imports performed using the Okta Provisioning Agent ignored safeguard thresholds.
-
OKTA-664830
Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.
-
OKTA-666396
When the display language was set to Japanese, the Okta Sign-on Policy page displayed a translation error instead of the Everyone group name.
Okta Integration Network
App updates
- The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
- The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.
New Okta Verified app integrations
- AIRRECT Cloud (OIDC)
- DemoHop (OIDC)
- Salto (SAML)
- Serenity Connect (SAML)
- Zluri (SAML)
October 2023
2023.10.0: Monthly Production release began deployment on October 16
* Features may not be available in all Okta Product SKUs.
Content
Generally Available Features
Sign-In Widget, version 7.11.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
SharePoint People Picker, version 2.4.0.0
SharePoint People Picker 2.4.0.0 is now available for download. See Configure Okta SharePoint People Picker agent.
Custom email domain
You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.
OpenLDAP support for Auxiliary Object classes
You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.
New custom admin role permission
Super admins can now assign View delegated flow permission to their custom admin roles. See About role permissions.
Additional resource and entitlements reports
Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:
- Group Membership report: Lists individual members of a group and how membership was granted.
- User App Access report: Lists which users can access an application and how access was granted.
- User accounts report: Lists users with accounts in Okta and their profile information.
Sign-in requirements for new devices
Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.
IdP lifecycle event hooks
IdP lifecycle events are now eligible for use as event hooks. See Event Types.
Early Access Features
Workday writeback enhancement
When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.
-
OKTA-398711
Text on the Administrator assignment by admin page was misaligned.
-
OKTA-575513
Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.
-
OKTA-619175
UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.
-
OKTA-619223
Content was displayed incorrectly on the Change User Type page.
-
OKTA-620144
For some users, logos for imported app groups didn't appear in the Admin Console.
-
OKTA-620771
When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.
-
OKTA-621526
The MFA Usage Report didn't display the correct PIV/Smart Card label.
-
OKTA-636864
Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.
-
OKTA-639089
When a user was moved from one AD domain to another, their original group app assignments were retained.
-
OKTA-642630
Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.
-
OKTA-643148
The Tasks page didn’t indicate when each task was assigned.
-
OKTA-643598
The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.
-
OKTA-649240
Super admins couldn’t edit the scoped resources that were assigned to an Application admin.
-
OKTA-650511
Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.
-
OKTA-653189
Admins couldn't reschedule their org's Identity Engine upgrade to 30 days from the current date.
-
OKTA-654506
The writeback enhancement failed to push profile information to Workday when a user's profile was empty.
-
OKTA-655148
The SAMLResponse field in the HTML response couldn't be retrieved for some clients.
Okta Integration Network
New Okta Verified app integrations
- Datawiza Access Management Platform for PeopleSoft (OIDC)
- Nooks (OIDC)
App integration fixes
- 1Password Business (SWA) (OKTA-646676)
- Canva (SWA) (OKTA-642049)
- concur-solutions (SWA) (OKTA-649651)
- Dice (SWA) (OKTA-645005)
- mySE: My Schneider Electric (SWA) (OKTA-644927)
- PagerDuty (SWA) (OKTA-643598)
Weekly Updates

Generally Available
Sign-In Widget, version 7.11.2
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Admin sessions bound to Autonomous System Number (ASN)
When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.
Fixes
-
OKTA-632174
The Edit User Assignment page showed roles that had already been removed by an admin.
-
OKTA-636990
If an admin attempted to cancel or retry the enrollment of the WebAuth authenticator on behalf of a user, the page closed.
-
OKTA-638649
Field validation didn't work for Trusted Origins URLs.
-
OKTA-642760
Double-clicking the Save button on an app sign-on policy rule caused duplicate migrations when orgs upgraded to Identity Engine.
-
OKTA-644143
Users who were added to a group through group assignments were displayed as manually assigned.
-
OKTA-648338
The Zendesk app integration made API requests using the GET command instead of the POST command.
-
OKTA-653489
Admins couldn’t add custom default Salesforce attributes that had been deleted from the Profile Editor.
-
OKTA-655852
The Okta sign-in flow returned an error for certain URLs.
Okta Integration Network
App updates
- The Extracker app integration has been rebranded as Clearstory.
- The Inflection app integration has new Assertion Consumer Service (ACS) URLs, and a new URI, logo, and integration guide link.
- The Mapiq app integration has a new logo.
-
The People Experience Hub app integration no longer has an Encryption Certificate field.
- The Secure Code Warrior app integration has new SSO URLs and a new Instance Region option.
- The Tableau Online app integration has been rebranded as Tableau Cloud. The app has new application profile, custom patch batch size, and website.
New Okta Verified app integrations
- Badge (OIDC)
- Badge (SAML)
- Cisco Webex Identity SCIM 2.09 (SAML)
- Datawiza Access Management Platform for E-Business Suite (EBS) (OIDC)
- Datawiza Access Management Platform for JD Edwards (JDE) (OIDC)
- Deel HR (SCIM)
- dscout (SAML)
- Fletch (SAML)
- Incode Omni (OIDC)
- Q for Sales (OIDC)
- SpiderSense (SAML)
- Voicenter (OIDC)
App integration fixes
- Tableau Cloud (SCIM) (OKTA-625933)

Generally Available
Sign-In Widget, version 7.11.3
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Admin sessions bound to Autonomous System Number (ASN)
When an admin signs in to Okta, their session is now associated with the ASN they are logging in from. If the ASN changes during the session, the admin is signed out of Okta, and an event appears in the System Log.
Fixes
-
OKTA-457923
The browser's back button removed filters set for the MFA Enrollment by User report rather than returning to the Reports page.
-
OKTA-559609
Email notifications for report downloads sometimes didn't refer to the report name correctly.
-
OKTA-568355
When trying to launch the SuccessFactors app, credentials weren't automatically filled, which caused the launch to fail.
-
OKTA-578997
Read-only and helpdesk admins were able to incorrectly install and configure new Active Directory, LDAP, IWA Web, and Okta Provisioning agents.
-
OKTA-586764
On Okta-hosted sign-in pages, some fonts weren't loaded or rendered correctly.
-
OKTA-597530
Admins couldn't delete authorization server clients on the Access Policies page.
-
OKTA-599823
An answer to a security question could include parts of the question.
-
OKTA-612507
Some errors weren't translated.
-
OKTA-626459
When an org attempted to upgrade to Identity Engine, verified event hooks that were subscribed to the system.voice.send_phone_verification_call and system.sms.send_phone_verification_message event types returned warnings or consent requirements.
-
OKTA-627678
An error occurred when the postLogoutReidrectUris value in an OpenID Connect app was more than 65,535 characters.
-
OKTA-639311
When Cloud Identity was selected as the Google Workspace license type, entitlements weren't pushed.
-
OKTA-643533
The Default application for the Sign-In Widget setting was visible to orgs that hadn't enabled the feature.
-
OKTA-647442
Sometimes, a search request would fail if it included a recently created user.
-
OKTA-651722
Clicking Reapply Mappings set unmapped values to empty in orgs with certain configurations.
-
OKTA-653019
Base attributes of new Slack integrations weren't visible.
-
OKTA-654857
Org navigation elements appeared behind app tiles and other user interface elements for some iOS and macOS users.
-
OKTA-658729
Admins sometimes couldn’t reschedule their upgrade to Identity Engine if they had already rescheduled it to more than 30 days into the future.
Okta Integration Network
App updates
- The Cisco Umbrella User Management app integration has been rebranded as Cisco User Management for Secure Access. The app integration has a new logo, description, and URL.
- The Fullview app integration has a new direct URI and a new initiate login URI.
- The YesWeHack app intergration has a new icon.
New Okta Verified app integrations
- Authentic Web (SAML)
- Extic (SAML)
- GoSearch (SAML)
- Kizen (SAML)
- Kno2fy (SAML)
- LeanIX (API service)
- Proofpoint Security Awareness Training (SCIM)
- Summize (OIDC)
- Swayable (SAML)
- Trint (SAML)
- Trint (SCIM)
- ZAMP (OIDC)
App integration fixes
- Adobe (SWA) (OKTA-647811)
- Algolia (SWA) (OKTA-654566)
- American Express (Business) (SWA) (OKTA-649753)
- Application Bank of America CashPro (SWA) (OKTA-648836)
- i-Ready (SWA) (OKTA-644769)
- IMDB Pro (SWA) (OKTA-653918)
- MIT Technology Review (SWA) (OKTA-656622)
- SuccessFactors (SWA) (OKTA-568355)
- Trend Micro Worry-Free Business Security Services (SWA) (OKTA-648083)
- Twilio (SWA) (OKTA-655486)
September 2023
2023.09.0: Monthly Production release began deployment on September 18
* Features may not be available in all Okta Product SKUs.
Content
Generally Available Features
Sign-In Widget, version 7.10.0
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Okta Sign-In Widget Guide.
Okta AD agent, version 1.16.0
This release includes:
- Migration of the Windows installer from Internet Explorer to Edge.
- Security enhancements.
- Internal updates.
Okta LDAP agent, version 5.18.0
This version of the agent contains security enhancements.
Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.
Okta MFA Credential Provider for Windows, version 1.3.9
This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.
Authentication challenge for redirects
Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.
Custom Identity Source app available
The Custom Identity Source app is now available in Okta Integration Network.
Count summary added to report
The User accounts report now displays the total number of records returned for the report.
Product Offers dashboard widget
A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.
Automatically assign the super admin role to an app
Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.
Okta apps and plugin no longer available to certain users
Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.
Early Access Features
This release doesn't have any Early Access features.
-
OKTA-570804
The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.
-
OKTA-574216
Reconciling group memberships sometimes failed for large groups.
-
OKTA-578184
The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.
-
OKTA-592745
Full and incremental imports of Workday users took longer than expected.
-
OKTA-605996
A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.
-
OKTA-616604
The password requirements list on the Sign-In Widget contained a grammatical error.
-
OKTA-616905
Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.
-
OKTA-619102
Invalid text sometimes appeared in attribute names.
-
OKTA-619179
A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).
-
OKTA-619419
Group admins could see their org’s app sign-in data.
-
OKTA-624387
Sometimes attempting to change an app's username failed due to a timeout.
-
OKTA-627559
Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.
-
OKTA-628944
Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.
-
OKTA-629774
Some user import jobs failed to restart after interruption.
-
OKTA-631621
Read-only admins couldn't review the details of IdP configurations.
-
OKTA-633431
When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.
-
OKTA-634308
Group app assignment ordering for Office 365 apps couldn't be changed.
-
OKTA-637259
An error occurred when importing users from Solarwinds Service Desk.
-
OKTA-641062
The link to Slack configuration documentation was invalid.
-
OKTA-641447
Super admins couldn’t save new custom admin roles.
-
OKTA-648092
New admins didn't get the Support app in their End-User Dashboard.
Okta Integration Network
App updates
- The CoRise app integration has been rebranded as Uplimit.
New Okta Verified app integrations
- Armis (SCIM)
- Astrix Security (OIDC)
- CloudEagle (API service)
- Darwinbox (SAML)
- DataOne (OIDC)
- Edgility (OIDC)
- Elba SSO (OIDC)
- Experience.com (OIDC)
- GraphOS Studio (SAML)
- HealthKey (OIDC)
- Huntress Security Awareness Training (API service)
- Lifebalance Program (OIDC)
- Mapiq (OIDC)
- Mapiq (SAML)
- OpenComp (OIDC)
- OpsHelm (OIDC)
- OpsHelm (SCIM)
- PlanYear (SAML)
- Spyglass (OIDC)
- Tuvis (SAML)
App integration fixes
- American Express Online (OKTA-637925)
- hoovers_level3 (OKTA-637274)
- MSCI ESG Manager (OKTA-637624)
- PartnerXchange (OKTA-632251)
- Staples Advantage (OKTA-639141)
Weekly Updates

Generally Available
Sign-In Widget, version 7.10.1
For details about this release, see the Sign-In Widget Release Notes.
For more information about the Widget, see the Sign-In Widget Guide.
Content security policy enforcement extended for custom domains
Content Security Policy is now enforced for all non-customizable pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for all non-customizable pages in orgs with custom domains will become stricter than this first release. This feature will be gradually made available to all orgs.
Enhanced Okta LDAP integrations with Universal Directory
Okta LDAP integrations now feature custom mapping, schema discovery, and a fully extensible attribute schema that allows you to import or update any attribute stored in LDAP. With these enhancements, Okta LDAP matches the schema functionality already available to Active Directory integrations. See Profile Editor. This feature is being re-released. This feature will be gradually made available to all orgs.
Fixes
-
OKTA-595549
IdP users were redirected to an unbranded sign-in page after SSO failure.
-
OKTA-614488
Admins could view only 50 applications in the Default application for the Sign-In Widget dropdown menu when configuring a custom sign-in page.
-
OKTA-619163
When the Universal Distribution List group was pushed to Active Directory, some users' group memberships didn't sync.
-
OKTA-627660
Users whose admin permissions were revoked continued to receive emails with an Admin only audience setting.
-
OKTA-628227
Some SAML-linked accounts in DocuSign couldn't use SWA.
-
OKTA-629263
Email change confirmation notices came from an Okta test account rather than a brand-specific sender.
-
OKTA-637801
Admins without permission to manage apps saw an Edit button for the app’s VPN Notification settings.
-
OKTA-638911
The RSA Authenticator used the old SamAccountName of AD-sourced users after it was changed.
-
OKTA-639465
The LDAP Agent Update service used an unquoted path, which could allow arbitrary code execution. For more information, see the Okta security advisory.
-
OKTA-647842
Okta displayed two different titles for the End-User Dashboard to users whose locale was set to Vietnamese.
Okta Integration Network
App updates
- The Amazon Business SAML app now has a configurable SAML issuer.
- The Amazon Business SCIM app now has a configurable SCIM base URL and Authorize endpoint.
- Application profile and mapping has been updated for the Jostle SCIM app.
- The mobile.dev SAML app has been rebranded as Maestro Cloud.
New Okta Verified app integrations
- Base-B (SAML)
- Base-B (SCIM)
- Comprehensive (OIDC)
- Palo Alto Networks Cloud Identity Engine (API service)
- Palo Alto Networks Cloud Identity Engine (Application-enabled) (API service)
- Rezonate Security (API service)
- supervisor.com (OIDC)
- WorkSchedule.Net (OIDC)
App integration fixes
- American Express Online by Concur (OKTA-642832)

Fixes
-
OKTA-619723
When the Conditions for admin access feature was enabled, admins who were restricted from viewing certain profile attributes couldn’t access the .
-
OKTA-623635
Group mappings were unexpectedly pushed to downstream apps after the corresponding app instances were deleted.
-
OKTA-627862
Incorrect values for group metrics, such as the number of groups added and updated, were displayed on the Import Monitoring page.
-
OKTA-633507
The pagination cursor was ignored when requests to the Groups API (api/v1/groups) included the ID of the All Admin group.
-
OKTA-641112
System Log events weren't generated when Active Directory and LDAP users were deactivated during sign-in.
-
OKTA-643155
If an org had configured Duo Security as an MFA factor and also a custom IdP factor named Duo Security, then the org couldn't be upgraded to Identity Engine.
-
OKTA-643204
Active Directory and LDAP users weren't unassigned from applications when they were deactivated during sign-in.
-
OKTA-643499
Sometimes the processing of group rules for smaller groups took longer than expected when other large operations were in progress.
Okta Integration Network
App updates
- The Experience.com OIDC app now has additional redirect URIs.
-
The Planview Admin SAML app now has the Audience ID variable.
New Okta Verified app integrations
- Clumio (SCIM)
- Elba (API service)
- innDex (OIDC)
- Sloneek (OIDC)
- Zonka Feedback (SAML)
App integration fixes
- Bloomberg (SWA) (OKTA-642380)
- BlueCross Blueshield of Illinois (SWA) (OKTA-641490)
- Citi Velocity (SWA) (OKTA-637196)
- SAP Concur Solutions (SWA) (OKTA-643965)