Okta Classic Engine release notes (Production)

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

• onPremisesSamAccountName
• onPremisesDomainName
• onPremisesUserPrincipalName
• PreferredDataLocation

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Office 365 License and Roles Management now supports sync entitlements

Sync entitlements are now supported for the Office 365 License and Roles Management provisioning type in orgs with Identity Governance enabled.

Improved user experience for Access Requests

The access request details page has been improved to provide more visibility on tasks assigned approvers and answers submitted by requesters. If you integrated Slack or Teams with Access Requests, similar changes have been made to the access request message that approvers receive. Additionally, the email notification sender's name and address have been changed. The sender's name is Okta Access Requests and the email address is noreply@at.okta.com.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.3 and Okta Provisioning agent SDK 2.4.0 are now available. These releases contain bug fixes and minor improvements.

Nonce rollout for Content Security Policy

Okta is rolling out nonces for the style-src directive of the Content Security Policy for every endpoint that returns html content. This is a two stage process: first, the nonce is added to the Content-Security-Policy-Report-Only header style-src directive; later, after any unsafe inline instances are identified and fixed, the nonce is added to the Content-Security-Policy header style-src directive. This update will be gradually applied to all endpoints.

These updates will be applied to Okta domains and custom domain pages that aren't customizable by admins (for example, sign-in pages, and error pages on custom domains). See Customize an error page.

Export Admin Console reports in GZIP format

You can now export most Admin Console reports in GZIP format, in addition to the existing CSV format. GZIP exports have a higher row limit (30 million) and a smaller file size.

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

This feature is following a slow rollout process.

IWA agent, version 1.18.0

This version of the agent contains security enhancements. See Okta SSO IWA Web App version history.

Assigning/revoking an admin role is a protected action

Now when an admin assigns or revokes an admin role from a user, they're prompted for additional authentication. See Protected actions in the Admin Console.

Admin Console Realm updates

The hint text for the Realm dropdown on the Add User form has been updated to provide clearer instructions.

Secure Identity Integrations filters in the OIN catalog

The Browse App Integration Catalog page now provides three new Secure Identity Integrations checkboxes: Secure Identity Integrations - Fundamental, Secure Identity Integrations - Advanced, and Secure Identity Integrations - Strategic. When you select one, the OIN catalog displays only the apps with that specific functionality.

LDAP Interface OIDC app

LDAP Interface now has an app sign-in policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface. The session length for OpenID Connect (OIDC) connections is now limited to one hour. After the session expires, a new BIND operation is required to continue performing SEARCH queries on the same connection. You may need to update existing scripts to account for this enforced session length.

Map unknown platform to desktop

Okta now maps unrecognized platform conditions to Other desktop. Previously, unrecognized platform conditions matched correctly only when all six platform conditions (iOS, Android, Other mobile, Windows, macOS, and Other desktop) were selected in the app sign-on policy.

Child Domain Authentication for Office 365 WS-Federation

Office 365 WS-Federation automatic configuration now supports child domain authentication. See Federate multiple Office 365 domains in a single app instance.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.