Okta Classic Engine release notes (Production)

Help us improve our release notes by filling out this short survey.

Current release status

Current Upcoming
Production 2023.11.0 2023.11.1 Production release is scheduled to begin deployment on December 4
Preview 2023.11.1 2023.12.0 Preview release is scheduled to begin deployment on December 6

November 2023

2023.11.0: Monthly Production release began deployment on November 13

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.12.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Redesigned admin role pages

The Create a role and Edit role pages for custom admin-role configuration now provide a simpler, more intuitive user experience. See Create a role.

Okta LDAP Agent automatic update support

Admins can now initiate or schedule automatic updates to Okta LDAP agents from the Admin Console. With agent auto-update functionality, admins no longer need to manually uninstall and then reinstall Okta LDAP agents when a new agent version is released. Agent auto-updates keep your agents up to date and compliant with the Okta support policy, and help ensure your org has the latest Okta features and functionality. Single or multiple agents can be updated on demand, or updates can be scheduled to occur outside of business hours to reduce downtime and disruption to users. See Automatically update Okta LDAP agents.

Lockout Prevention

This feature adds the ability to block suspicious sign-in attempts from unknown devices. Users who sign in to Okta with devices they’ve used before aren’t locked out when unknown devices cause lockouts.

FIPS compliance for iOS or Android devices

Federal Information Processing Standards (FIPS) compliance is now available for iOS or Android devices. FIPS can be enabled on the Okta Verify configuration page. When FIPS compliance is enabled, admins can be confident that only FIPS-compliant software is used.

See About FIPS-mode encryption.

Self-Service Okta Identity Engine Upgrades for all orgs

The self-service upgrade widget now appears on the Admin Dashboard for all Classic Engine orgs. The widget allows super admins to schedule their upgrade to Identity Engine. The upgrade is free, automatic, and has zero downtime. See Upgrade to Okta Identity Engine.

Custom email domain updates

The Custom email domain wizard now includes an optional Mail subdomain field. See Configure a custom domain.

Improved LDAP provisioning settings error message

During validation of LDAP provisioning settings, an incorrect syntax results in an error message. An LDAP search query isn't sent if there is an incorrect syntax.

Additional data to support debugging user authentication

When the user.authentication.auth_unconfigured_identifier event is triggered, the Okta username and email are added to the event. This helps orgs find who to communicate with about the changes.

Modified System Log event for Autonomous System Number (ASN) changes

When an admin is signed out of Okta because their ASN changed during their session, the System Log now displays a security.session.detect_client_roaming event instead of a user.session.context.change event.

OIN Manager notice

The integration estimated-verification-time notice has been updated in the OIN Manager.

Early Access Features

Granular permissions to manage directories

This feature enables you to assign permissions to view and manage directories as part of a customized admin role. Admins without universal application administrator permissions can handle directory-specific tasks.

New app settings permissions for custom admin roles

Super admins can now assign permissions for custom admin roles to manage all app settings, or only general app settings. This enables super admins to provide more granular permissions to the admins they create, resulting in better control over org security. See Application permissions.


  • OKTA-538785

    Sometimes users encountered an error when the Self-Service Registration flow made a request to the /tokens endpoint.

  • OKTA-566962

    Some text strings on the Okta Sign-on Policy page weren't translated.

  • OKTA-633313

    A user with a custom admin role couldn't create federated users due to misplaced permissions.

  • OKTA-633789

    When an Okta group name contained $, the push group feature either removed $ or caused the sAMAccountName to fail validation when populating the Active Directory group.

  • OKTA-649095

    Some AD-sourced users received prompts to reset their password even when the AD password policy restricted password changes.

  • OKTA-649810

    The Add Resource dialog box sometimes displayed duplicate group names.

  • OKTA-653756

    When many apps were added to routing rules through the API, system performance was degraded.

  • OKTA-653873

    In some orgs, on-premises imports performed using the Okta Provisioning Agent ignored safeguard thresholds.

  • OKTA-664830

    Developer and free-trial orgs redirected users to the configured redirect URI when errors occurred. The redirects now target an error page.

  • OKTA-666396

    When the display language was set to Japanese, the Okta Sign-on Policy page displayed a translation error instead of the Everyone group name.

Okta Integration Network

App updates

  • The RFPIO app integration has been rebranded as Responsive. The app has a new logo and integration guide link.
  • The YardiOne Dashboard app integration has been rebranded as YardiOne. The app has a new logo and new integration guide links, as well as Just-In-Time (JIT) provisioning support for SAML integrations.

New Okta Verified app integrations

October 2023

2023.10.0: Monthly Production release began deployment on October 16

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.11.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Sign-In Widget Guide.

SharePoint People Picker, version

SharePoint People Picker is now available for download. See Configure Okta SharePoint People Picker agent.

Custom email domain

You can configure a custom domain so that email Okta sends to your end users appears to come from an address that you specify instead of the default Okta sender noreply@okta.com. This allows you to present a more branded experience to your end users. See Configure a custom email address. This feature is being re-released.

OpenLDAP support for Auxiliary Object classes

You can now input a comma-separated list of auxiliary object classes when importing users from LDAP. See LDAP integration. This feature is being re-released.

New custom admin role permission

Super admins can now assign View delegated flow permission to their custom admin roles. See About role permissions.

Additional resource and entitlements reports

Reports help your Okta org manage and track user access to resources, meet audit and compliance requirements, and monitor organizational security. The following reports are now available:

  • Group Membership report: Lists individual members of a group and how membership was granted.
  • User App Access report: Lists which users can access an application and how access was granted.
  • User accounts report: Lists users with accounts in Okta and their profile information.

See Entitlements and Access Reports.

requirements for new devices

Users are now prompted for MFA each time they sign in when an authentication policy rule requires MFA for new devices.

IdP lifecycle event hooks

IdP lifecycle events are now eligible for use as event hooks. See Event Types.

Early Access Features

Workday writeback enhancement

When this feature is enabled, Okta makes separate calls to update work and home contact information. This feature requires the Home Contact Change and Work Contact Change business process security policy permissions in Workday.


  • OKTA-398711

    Text on the Administrator assignment by admin page was misaligned.

  • OKTA-575513

    Super admins that tried to open the Okta Workflows console received an error, and {0} appeared as the app name, when their account wasn't assigned to the Workflows app.

  • OKTA-619175

    UI elements didn't work properly on the Global Session Policy and Authentication Policies pages.

  • OKTA-619223

    Content was displayed incorrectly on the Change User Type page.

  • OKTA-620144

    For some users, logos for imported app groups didn't appear in the Admin Console.

  • OKTA-620771

    When a group was pushed from Okta, a blank app icon appeared for some users and clicking the icon resulted in an error.

  • OKTA-621526

    The MFA Usage Report didn't display the correct PIV/Smart Card label.

  • OKTA-636864

    Org navigation elements were hidden when authentication settings were changed for orgs embedded in an iFrame or that redirected to an iFrame.

  • OKTA-639089

    When a user was moved from one AD domain to another, their original group app assignments were retained.

  • OKTA-642630

    Users received an error when they entered an OTP from an SMS message after the org was upgraded to Identity Engine.

  • OKTA-643148

    The Tasks page didn’t indicate when each task was assigned.

  • OKTA-643598

    The Secure Web Authentication (SWA) module failed to sign users in to PagerDuty.

  • OKTA-649240

    Super admins couldn’t edit the scoped resources that were assigned to an Application admin.

  • OKTA-650511

    Inconsistent AD agent verion formatting appeared on the Agent Monitor page during on-demand auto updates.

  • OKTA-653189

    Admins couldn't reschedule their org's Identity Engine upgrade to 30 days from the current date.

  • OKTA-654506

    The writeback enhancement failed to push profile information to Workday when a user's profile was empty.

  • OKTA-655148

    The SAMLResponse field in the HTML response couldn't be retrieved for some clients.

Okta Integration Network

New Okta Verified app integrations

App integration fixes

  • 1Password Business (SWA) (OKTA-646676)
  • Canva (SWA) (OKTA-642049)
  • concur-solutions (SWA) (OKTA-649651)
  • Dice (SWA) (OKTA-645005)
  • mySE: My Schneider Electric (SWA) (OKTA-644927)
  • PagerDuty (SWA) (OKTA-643598)

Weekly Updates

September 2023

2023.09.0: Monthly Production release began deployment on September 18

* Features may not be available in all Okta Product SKUs.

Generally Available Features

Widget, version 7.10.0

For details about this release, see the Sign-In Widget Release Notes.

For more information about the Widget, see the Okta Sign-In Widget Guide.

Okta AD agent, version 1.16.0

This release includes:

  • Migration of the Windows installer from Internet Explorer to Edge.
  • Security enhancements.
  • Internal updates.

See Okta Active Directory agent version history.

Okta LDAP agent, version 5.18.0

This version of the agent contains security enhancements.

Note: In Windows, the LDAP Agent auto-update feature isn't capable of deploying all security enhancements that are introduced in version 5.18. To completely deploy all security enhancements from this release, all LDAP agents running version 5.17 or earlier must be uninstalled, and version 5.18 must be manually installed. See Install the Okta LDAP Agent.

Okta MFA Credential Provider for Windows, version 1.3.9

This release includes bug fixes, security enhancements, and support for an additional top-level domain. See Okta MFA Credential Provider for Windows Version History.

Authentication challenge for redirects

Users now receive an authentication challenge for each redirect sent to an Identity Provider with Factor only configured, even if the IdP session is active.

Custom Identity Source app available

The Custom Identity Source app is now available in Okta Integration Network.

Count summary added to report

The User accounts report now displays the total number of records returned for the report.

Product Offers dashboard widget

A Product Offers widget now displays on the Admin Dashboard for super and org admins. The widget provides a cost- and commitment-free way for admins to explore and test the capabilities of various Okta products. When a new free trial is available, admins can click Get started to activate it, or Not interested to dismiss the widget.

Automatically assign the super admin role to an app

Admins can now automatically assign the super admin role to all of their newly created public client apps. See Work with the admin component.

Okta apps and plugin no longer available to certain users

Beta users of the PingFederate MFA plugin can no longer create Okta apps or download the plugin.

Early Access Features

This release doesn't have any Early Access features.


  • OKTA-570804

    The RADIUS Server Agent installer for versions 1.3.7 and 1.3.8 didn't prompt users to install missing C++ runtime libraries on Microsoft Windows servers.

  • OKTA-574216

    Reconciling group memberships sometimes failed for large groups.

  • OKTA-578184

    The inbound delegated authentication endpoint didn't correctly handle errors when the authentication request wasn't associated with an org.

  • OKTA-592745

    Full and incremental imports of Workday users took longer than expected.

  • OKTA-605996

    A token inline hook secured by an OAuth 2.0 private key returned an error for all users except super admins.

  • OKTA-616604

    The password requirements list on the Sign-In Widget contained a grammatical error.

  • OKTA-616905

    Events weren't automatically triggered for Add assigned application to group, Remove assigned group from application, and Update Assign application group event hooks.

  • OKTA-619102

    Invalid text sometimes appeared in attribute names.

  • OKTA-619179

    A timeout error occurred when accessing a custom report for UKG Pro (formerly UltiPro).

  • OKTA-619419

    Group admins could see their org’s app sign-in data.

  • OKTA-624387

    Sometimes attempting to change an app's username failed due to a timeout.

  • OKTA-627559

    Access policy evaluation for custom authorization servers was inconsistent when default scopes were used.

  • OKTA-628944

    Email notifications from Okta Verify were sent from the default domain address instead of the email address configured for the brand.

  • OKTA-629774

    Some user import jobs failed to restart after interruption.

  • OKTA-631621

    Read-only admins couldn't review the details of IdP configurations.

  • OKTA-633431

    When an Okta Org2Org integration encountered an API failure, the resulting error message was displayed in Japanese.

  • OKTA-634308

    Group app assignment ordering for Office 365 apps couldn't be changed.

  • OKTA-637259

    An error occurred when importing users from Solarwinds Service Desk.

  • OKTA-641062

    The link to Slack configuration documentation was invalid.

  • OKTA-641447

    Super admins couldn’t save new custom admin roles.

  • OKTA-648092

    New admins didn't get the Support app in their End-User Dashboard.

Okta Integration Network

App updates

  • The CoRise app integration has been rebranded as Uplimit.

New Okta Verified app integrations

App integration fixes

  • American Express Online (OKTA-637925)
  • hoovers_level3 (OKTA-637274)
  • MSCI ESG Manager (OKTA-637624)
  • PartnerXchange (OKTA-632251)
  • Staples Advantage (OKTA-639141)

Weekly Updates