Okta Classic Engine release notes (Production)

Version: 2025.08.0

August 2025

Generally Available

Sign-In Widget 7.34.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

New password expiration message

The Breached Credentials Protection feature now displays a more intuitive error message to users whose passwords have expired.

Okta Provisioning agent, version 3.0.2

Okta Provisioning agent 3.0.2 is now available. This release of the Okta Provisioning agent uses OAuth 2.0 for authorization and OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) to securely communicate with Okta. Agents are now registered through the OAuth 2.0 device registration flow and operate independently from the account used to register them. This release also uses UTC time as the default for meta.lastModified timestamps and includes security enhancements and bug fixes. See Okta Provisioning Agent and SDK version history.

Okta Active Directory agent, version 3.21.0

This release includes general enhancements, branding updates, and bug fixes. See Okta Active Directory agent version history.

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Define default values for custom user attributes

Admins can now define default values for custom attributes in a user profile. If you set a custom attribute to be unique, then the default value is automatically set to null (as opposed to an empty string). See Add custom attributes to an Okta user profile.

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Auto-confirm for CSV imports

When Identity Governance is enabled and admins use CSV Import with entitlements, auto-confirm is enabled on exact email matches.

Identity Governance user entitlements import limit increased

The maximum number of user entitlements that can be imported from CSV has been increased to 25,000. See Import user entitlements from CSV.

License grouping UI improvement

Microsoft O365 licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only primary license name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for profile sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

Custom profile attributes for OIDC apps

Admins can now add custom profile attributes to OIDC apps in JSON format. See Configure profile attributes for OIDC apps.

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration.

Early Access

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

Governance delegates

Super admins and users can assign another user as a delegate to complete governance tasks for them. Governance tasks include access certification campaign review items and access request approvals, questions, and other tasks. After a delegate is specified, all future governance tasks (access request approvals and access certification reviews) are assigned to the delegate instead of the original approver or reviewer. This helps ensure that governance processes don't stall when approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period. It also reduces the time spent in reassigning requests and reviews manually. See Governance delegates

Multiple active IdP signing certificates

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Admins can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates. The feature is available for both the Admin Console and the IdP Certificates API.

JSON Web Encryption of OIDC ID Tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

Fixes

  • When an admin performed an incremental import using the Okta Provisioning agent, the last.modified timestamp was in the local time zone rather than the expected UTC. (OKTA-908307)

  • Admins couldn't always reactivate an app, even when there were active instances of that same app. (OKTA-944775)

  • After a reviewer approved or revoked a review item, the value for the campaignItemRemediationStatus System Log event incorrectly displayed NONE. (OKTA-950851)

  • When conditions were removed from a groups resource, admins who were assigned the resource set couldn't add groups. (OKTA-961708)

  • On the Edit role page, the Role description field displayed the Role name value. (OKTA-984100)

  • In orgs with the Breached Credentials Protection feature enabled, the wrong password expiration date was displayed to some users. (OKTA-984104)

  • When an admin assigned a group to an app, the resulting System Log event was incomplete. (OKTA-985709)

Weekly Updates

2025.8.1: Update 1 started deployment on August 18

Fixes

  • Sometimes admins could assign themselves as approvers for their own access requests.

  • When an admin edited a resource set, the event didn't appear in the Admin changes section on the Administrators page. (OKTA-817804)

  • Admins couldn't publish customized sign-in and error pages, and some users saw default sign-in and error pages instead of previously published customized ones. (OKTA-838267)

  • An error was intermittently returned when attempting to add a new sign-in redirect URI to an existing OIDC app. (OKTA-892769)

  • Notification emails for AD and LDAP agent upgrades included sections for updated agents when none existed. (OKTA-958346)

  • Okta didn't migrate customer-provided certificates to Okta-managed ones. (OKTA-959003)

  • Custom admins with privileges for customizing domains didn't see the Edit menu item on the Domains tab of a brand page. (OKTA-974191)

  • When LDAP instances were either deactivated or reactivated, the associated LDAP agents remained in their current state. (OKTA-990260)

  • The LDAP interface app showed an Okta IP address instead of the requester's original IP address, leading to authentication failure. (OKTA-991371)

  • Some users were redirected to the wrong IdP after their org's routing rules were updated. (OKTA-992475)

  • Some users who enabled the Early Access feature Unified claims generation for Okta-protected SAML and OIDC custom app integrations saw an error when they tried to add custom claims to an app integration. (OKTA-997102)

  • An error message appeared to super admins when they tried to configure the custom OTP authenticator, and the authenticator didn't appear on the Authenticators page. (OKTA-997916)

Okta Integration Network

  • Prowler (Prowler SaaS) has a new display name.

  • Ethos has a new Redirect URI.

  • Prowler Cloud (SAML) is now available. Learn more.

  • 1VALET was updated.

  • Adobe Enterprise (SWA) was updated.

  • Adobe (SWA) was updated.

  • Apple store for Business (SWA) was updated.

  • Paycor (SWA) was updated

  • National Car Rental (SWA) was updated.

  • Marriott Hotels (SWA) was updated.

  • Desana has a new icon.

  • Console updated with a new redirect URI and icon (OIDC). Learn more.

  • FORA was updated.

  • Approveit (SAML) is now available. Learn more.

  • Bing Webmaster (SWA) was updated.

  • Reward Builder is now available. Learn more.

  • Staircase AI (SCIM) now supports the EU region.

Version: 2025.07.0

July 2025

Generally Available

Sign-In Widget, version 7.33.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Release notes available in Japanese

Release notes for Okta Classic Engine are now translated to Japanese for each release. These translations are published within a week of the English publication.

Okta Provisioning agent, version 2.3.1

This release contains security enhancements. See Okta Provisioning Agent and SDK version history.

Okta Hyperdrive agent, version 1.5.1

This version includes security enhancements.

Okta LDAP agent, version 5.24.0

This version of the agent includes the following:

  • Configuration files are now encrypted
  • Local LDAP agent configuration files are monitored for unexpected changes
  • install.log created to help debug installation issues
  • Security enhancements

Google Workspace improvements

The following changes have been made to improve the performance of the Google Workspace app integration:

  • More robust group-related error handling
  • Eliminated duplicate group creation upon import when Import Groups is disabled

Okta MFA Credential Provider for Windows

This release includes bug fixes and security enhancements.

Conditions for create user permission

You can now add conditions to the Create user permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permission conditions.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See Define attribute statements.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Early Access

Network restrictions for OIDC token endpoints is EA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Okta Integration IdP type is EA in Preview

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Enforce MFA for Identity Governance admin apps

The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.

OU moves for LDAP-provisioned users

When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.

Okta Hyperspace agent, version 1.5.1

This version includes security enhancements.

System Log event for monitoring LDAP Agent config file changes

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

On-prem Connector for Oracle EBS

On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.

Provisioning for Oracle Human Capital Management

Provisioning is now available for the Oracle Human Capital Management app integration. When you provision the app, you can enable security features like Entitlement Management, Privileged Access, and more. See Oracle Human Capital Management.

Fixes

  • Admins couldn't edit the Need help signing in? link on the Sign-In Widget (third generation). (OKTA-917840)

  • Group push errors were displayed for app instances that didn't have provisioning enabled. (OKTA-924631)

  • Client location, IP address, and user agent weren't visible for security.breached_credential.detected events in System Log. (OKTA-934324)

  • When any of the When a user is reactivated in the app options were enabled for an app integration, the first attempt to re-login using ADSSO by disconnected AD users failed. (OKTA-939542)

  • Additional roles couldn't be added to the base Role attribute for SmartRecruiters app integrations. (OKTA-944146)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • Some users who were logged out of Okta by the breached credentials protection feature had custom attribute values deleted from their user profile. (OKTA-964312)

Okta Integration Network

  • Cockroach Labs (SCIM) is now available. Learn more.
  • Grace (OIDC) is now available. Learn more.
  • Hive (SCIM) is now available. Learn more.
  • Optmyzr (OIDC) is now available. Learn more.
  • Planfix (SCIM) is now available. Learn more.
  • Planfix (SAML) is now available. Learn more.
  • Splunk Add-on for Okta Identity Cloud (API integration) is now available. Learn more.

Weekly Updates

2025.7.1: Update 1 started deployment on July 14

Fixes

  • Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)

  • Some users with custom admin roles were unable to use the authorization server token preview. (OKTA-847900)

  • The multiple identifiers feature didn't process case sensitivity correctly when evaluating identifier attributes. (OKTA-899235)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-953319)

  • The Networks page became unresponsive when admins clicked the Show more option. (OKTA-958764)

  • Users were unable to create a new schema property using a previously used name due to an incomplete cleanup process of deleted schema properties. (OKTA-963030)

  • A blank page was displayed after an Okta user was successfully converted to a service account. (OKTA-969178)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

Okta Integration Network

  • NVIDIA Identity Federation (SCIM & SAML) is now available. Learn more.
  • Zoho Directory (API Integration) is now available. Learn more.

2025.7.2: Update 2 started deployment on July 21

Fixes

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

  • Provisioning new users without a password to on-premises SAP instances failed, even when Sync Password was disabled. (OKTA-973324)

  • The create user form didn't clearly indicate whether an admin can view or edit files, which caused confusion during user creation. (OKTA-977736)

  • This release includes security enhancements. (OKTA-984152)

Okta Integration Network

  • CaterCow (OIDC) is now available. Learn more.

  • Cato Portal has a new Redirect URI. Learn more.

  • DevRev (SAML) is now available. Learn more.

  • DevRev (SCIM) is now available. Learn more.

  • Fastly has a new configuration guide. Learn more.

  • Fastly (SCIM) is now available. Learn more.

  • Hexnode (API service) is now available. Learn more.

  • ImmuniWeb (OIDC) is now available. Learn more.

  • Observe.ai (Provisioning)(SCIM) is now available. Learn more.

  • SmartCompany is now OneHR.

  • Sociabble (OIDC) is now available. Learn more.

  • Sociabble (SAML) is now available. Learn more.

2025.7.3: Update 3 started deployment on August 4

Fixes

  • When signing in to Okta, AD-sourced users were prompted that their password would expire, even with a password policy set to never expire. (OKTA-931026)

  • Read-only admins couldn't view event hooks. (OKTA-935143)

  • Okta displayed different error messages for valid and invalid usernames after failed sign-in attempts. (OKTA-958229)

  • When users tried to sign in to the End-User Dashboard and an error occurred, the custom error page wasn't displayed. (OKTA-963685)

  • When an admin with a custom role was deactivated and then immediately reactivated, they temporarily retained their former privileges and could access the Admin Console. (OKTA-968997)

  • Provisioning new users without a password to on-premises SAP instances failed, even when Sync Password was disabled. (OKTA-973324)

  • The create user form didn't clearly indicate whether an admin can view or edit files, which caused confusion during user creation. (OKTA-977736)

  • Customers couldn't upgrade to Identity Engine when their Classic Engine org used a custom domain, didn't have custom sign-in page, and used version 5.10 or earlier of the Sign-In Widget. (OKTA-961939)

  • Users appeared twice in the results of the User App Access report. (OKTA-963812)

  • When an admin managed Active Directory users and groups in Okta, the events didn't always appear in the System Log. (OKTA-976990)

  • Some Active Directory users saw a password expiration notice after the breached credentials protection feature had already expired their passwords. (OKTA-979447)

  • The default value of a custom property reset whenever it was edited. (OKTA-983015)

  • Some users saw an error when they tried to assign groups in the JIT Settings of their social login identity provider. (OKTA-983565)

  • After signing in to an Office 365 app and redirecting back to Okta, some AD-sourced users remained in a DEACTIVATING state. (OKTA-986550)

Version: 2025.06.0

June 2025

Generally Available

Per-app SAML certificate expiry notifications

The Tasks page now displays certificate expiry notifications for individual SAML apps.

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Okta Provisioning Agent now supports Group Push with SCIM 2.0

You can now use Group Push with on-premises apps by using Okta Provisioning Agent and SCIM 2.0. See Create SCIM connectors for on-premises provisioning.

New look and feel in the Partner Admin Portal app

The Partner Admin Portal app pages now have a new look and feel, including redesigned side and top navigation menus.

Define default values for custom user attributes

You can now define default values for custom attributes in a user profile. See Add custom attributes to an Okta user profile.

Domain restrictions on Realms

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See Manage realms.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Improvements to Okta RADIUS

Okta RADIUS now supports Java version 17 and has a new 64-bit installer.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Admins prevented from deleting published app instances

When an app instance has the Published version status, admins can no longer delete it from their org.

Early Access

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Fixes

  • SDK strings that contained iOS were parsed as unknown operating systems. (OKTA-856044)

  • On the Settings page, the Technical contact field displayed a "This field cannot be left blank" error even when there was text in the field. (OKTA-939469)

  • In the End-User Dashboard, if a user resized the browser to a mobile-sized view, the navigation menu opened and closed repeatedly. (OKTA-940213)

  • Admins received a 500 error when they attempted to delete an optional attribute in Profile Editor. (OKTA-941778)

Okta Integration Network

  • Pluto Bioinformatics is now available (SAML). Learn more.
  • FORA is now available (OIDC). Learn more.
  • Teamplify is now available (OIDC). Learn more.
  • XOPS is now available (API Service Integration). Learn more.

Weekly Updates

2025.6.1: Update 1 started deployment on June 23

Generally Available

Frame-ancestors rollout for Content Security Policy

Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint and /API/v1/internal/device/nonce endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See Trusted Origins for iFrame embedding.

In addition, Okta is rolling out the use of nonce with the script-src directive of the CSP for the /auth/services/devicefingerprint. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce addition to script-src.

New On-Prem MFA agent version

Version 1.8.3 of the On-Prem MFA agent is now available. This version includes security enhancements.

Fixes

  • App logos could be added or updated using any SVG format. (OKTA-876028)

  • After the Okta Active Directory or LDAP agents was successfully updated, the corresponding email notification reported that zero agents were running the new version. (OKTA-876968)

  • The Proxy IP Usage report returned unknown values for Proxy Type. (OKTA-930091)

  • SAML attribute statements were incorrectly hidden on some users' custom SAML app pages. (OKTA-939543)

  • The table on the HealthInsight page was misaligned. (OKTA-948682)

  • When the Governance for admin roles feature was enabled, admins could create custom roles with the same name as a standard role. (OKTA-950114)

  • When some AD or LDAP imports failed, the warning "Incorrect result size: expected 1, actual 2" was displayed in the job UI, but no System Log message was written. (OKTA-638810)

  • During a full import with AD DirSync, appuser.CN was cleared, which resulted in any attributes mapped from appuser.CN to the Okta user profile being cleared. (OKTA-944122)

  • When an admin opened a video from the Getting Started page, the close button wasn't visible. (OKTA-946268)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

Okta Integration Network

  • Complyfirst.co (OIDC) is now available. Learn more.
  • Duo Security SCIM Provisioning (SCIM) is now available. Learn more.
  • Genea Access Control (SAML) is now available. Learn more.
  • Genea Access Control (OIDC) is now available. Learn more.
  • Snapshot AI (OIDC) is now available. Learn more.

2025.6.2: Update 2 started deployment on June 30

Generally Available

Fixes

  • The Report a Security Issue section appeared on the Sign-In Help page even though the End User Help Form setting was disabled. (OKTA-898824)

  • When an admin retried a failed Office365 provisioning task, the Immutable ID value was cleared. (OKTA-913410)

Okta Integration Network