Okta Classic Engine release notes (Preview)

Version: 2025.03.0

March 2025

Generally Available

Okta MFA Credential Provider for Windows, version 1.4.3

This version includes bug fixes and security enhancements. See Okta MFA Credential Provider for Windows version history.

Okta LDAP agent, version 5.23.0

This version of the agent includes security enhancements.

Updated Japanese translations

The Admin Dashboard, Administrator pages, and Admin Console search now provide updated Japanese translations.

MyAccount Management scopes

The MyAccount Management scopes have been updated to non-system scopes and are now configurable by admins. See Create API access scopes .

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

New default settings for Okta sessions and idle time in default Okta sign-on policy rules

The maximum Okta session lifetime is now one day (24 hours) in the default Okta sign-on policy rule. See Configure an Okta sign-on policy.

Step-up authentication for updating policies

Okta prompts for step-up authentication when admins perform protected actions in the Admin Console, like updating sign-on policies. The changes are only allowed after the admin authenticates successfully. This feature enhances org security by allowing admins to require MFA before performing protected actions. See Protected actions in the Admin Console.

IP Exempt Zone

Use this feature to allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations or blocked network zones. See IP exempt zone.

Early Access

Entitlement support for disconnected apps

Disconnected apps are apps that aren't LCM integrated within Okta. This feature allows you to use CSV files to import users and entitlements into Okta from disconnected apps. This enables consistent governance and compliance across all apps, including those not fully integrated with Okta. See Import user entitlements from CSV.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

App Switcher for Okta first-party apps

The End-User Dashboard, Admin Console, and Workflows Console now have an App Switcher that helps admins quickly navigate between their assigned Okta apps. Note that you must enable the Unified look and feel for Okta Admin Console and Unified look and feel for Okta Dashboard Early Access features for the App Switcher to appear.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New System Log event

The policy.evaluate_sign_on event has a new DebugData item: IdpVerifiedFactorMode. This new item indicates whether a user authenticated with one or two factors with their identity provider when they signed in through a service provider. See System Log.

Enhancement to a System Log event

The IdpVerifiedFactorMode item has been added to the policy.evaluate_sign_on event. It appears when claims sharing is enabled in the org and indicates whether the identity provider verified the user's authentication factors. See System Log.

New attributes in Universal Sync

The following attributes are now supported in Universal Sync: AuthOrig, DLMemRejectPerms, DLMemSubmitPerms, and UnauthOrig.

Okta-to-Okta claims sharing enhancement

Okta-to-Okta claims sharing now supports the use of the smart card authenticator and Active Directory for Single Sign-On. This removes the need for users to authenticate with a service provider when they've already authenticated to an Okta org. See Add a SAML Identity Provider.

Fixes

  • Some certificates with trailing characters were uploaded successfully despite their invalid format. (OKTA-486406)

  • The consent buttons for the Office 365 and Office 365 GCC High apps didn't render correctly. (OKTA-488281)

  • The Microsoft Office 365 Government - GCC High app integration didn't have the correct metadata tags. (OKTA-509443)

  • Users weren't automatically confirmed when the inline hook updated conflicting appuser values during import. (OKTA-792372)

  • An invalid authentication error sometimes occurred when an admin assigned users to the ShareFile app. (OKTA-850064)

  • Emails intended for an unverified primary or secondary email were dropped when the Audience setting for the template was Admin only. (OKTA-852156)

  • When the Send all admin emails as BCC notification setting was selected, all email recipients were sent to the To field instead of the BCC field for protected actions. (OKTA-856627)

  • Some pages in the End-User Dashboard had a typo in the footer. (OKTA-877065)

  • The Entitlement SAML Assertions and OIDC Claims feature wasn't available in the Settings Features menu for some customers. (OKTA-880967)

  • An error occurred in the Okta Provisioning Agent when trying to import users from on-premises apps through CSV files. (OKTA-880996)

  • Access requests for admin role bundles weren't processed properly. (OKTA-892613)

Okta Integration Network

  • Better Stack (SCIM) is now available. Learn more.
  • Employment Hero by Aquera (SCIM) is now available. Learn more.
  • Harriet (OIDC) is now available. Learn more.
  • Harriet (SCIM) is now available. Learn more.
  • HYCU R-Cloud (OIDC) is now available. Learn more.
  • Kyriba By Aquera (SCIM) is now available. Learn more.
  • MySQL by Aquera (SCIM) is now available. Learn more.
  • ZAMP (SCIM) is now available. Learn more.
  • Zoom (SAML) has updated endpoints.

Weekly Updates

2025.03.1: Update 1 started deployment on March 12

Generally Available

Sign-in Widget 7.18 for Same-Device Enrollment

If you use the Same-Device Enrollment feature in your org, the Sign-In Widget version must be 7.18 or later.

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Some issues occurred during the creation of Devices Assurance settings. (OKTA-603807)

  • Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter. (OKTA-801592)

  • In some orgs, unnecessary writebacks were made to Workday when a sync was performed from Okta. (OKTA-817160)

  • Users who were excluded from a group rule were displayed incorrectly in the Admin Console. (OKTA-838039)

  • The System Log displayed two usernames in the user.authentication.auth_via_social event when a user signed in to Okta with an identity provider in the same browser as a user who was already signed in. (OKTA-842179)

  • Users authenticating to Microsoft Office 365 on macOS were matched to a rule with a Modern Authentication condition only when using the Edge browser. (OKTA-847605)

  • Admins who were assigned the super admin role through group assignments couldn't run password hash exports or view the reports. (OKTA-851991)

  • The MFA enrollment by user report displayed inaccurate figures for the security question factor. (OKTA-858427)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • When the Unified look and feel for Okta Admin Console feature was enabled, the Settings and Features pages didn't render correctly in the Safari browser. (OKTA-884821)

  • Some users weren't able to sign in with Okta Mobile on iOS devices. (OKTA-892669)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

Okta Integration Network

  • Better Stack (SAML) has a new integration guide.
  • Bundle by freee (SCIM) is now available. Learn more.
  • Chargebee (SAML) has a new integration guide.
  • Chargebee (SCIM) is now available. Learn more.
  • Lobbipad (SCIM) has updated help text.
  • Marfeel (OIDC) is now available. Learn more.
  • Oracle Cloud Applications by Aquera (SCIM) is now available. Learn more.

2025.03.2: Update 2 started deployment on March 19

Generally Available

Fixes

  • createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)

  • Workday imports sometimes failed when the number of parameters sent in a query exceeded the maximum. (OKTA-819984)

  • Authentication was interrupted or prevented in legacy embedded browsers due to a DNS issue. (OKTA-845120)

  • Changes to the manager attribute in Workday were only reflected in Okta after a full import. (OKTA-846352)

  • The MobilePhone target (the user phone number) wasn't present in the System Log when a telephony inline hook was used. (OKTA-849440)

  • The View Client Credentials permission didn't appear when the App settings for custom admin roles feature was enabled. (OKTA-851994)

  • AWS account federation with SWA was incompatible with the new AWS sign in page. (OKTA-856995)

  • When the Enable Sync Account Information setting was disabled for a custom domain, login.okta.com still loaded iframes. (OKTA-865098)

  • In Dynamic Zones, some IPs were classified incorrectly as anonymous proxies because of a misconfiguration by a third-party provider. (OKTA-867976)

  • Admins couldn't increase the global session policy maximum idle time if they set it to a longer duration than the previously saved maximum session time. (OKTA-891348)

Okta Integration Network

  • Attribute Dashboard (OIDC) is now available. Learn more.
  • Balsamiq (SAML) has a new app name, icon, and integration guide.
  • bob (SCIM, SAML) now supports sandbox environments.
  • Drata (OIDC) has a new icon.
  • Mighty ID (OIDC) is now available. Learn more.
  • Salesloft (SAML) is now available. Learn more.
  • Salesloft (SCIM) is now available. Learn more.

2025.03.3: Update 3 started deployment on March 26

Fixes

  • The wrong data appeared in the debug data field of the policy.rule.update System Log event. (OKTA-846160)

  • Sometimes, Google Workspace licenses couldn't be edited. (OKTA-892397)

  • Admins couldn't create or edit third-party identity providers in orgs with Okta-to-Okta claims sharing enabled. (OKTA-893483)

  • Admins whose role had permission conditions couldn't search for users by first or last name. (OKTA-894392)

  • Some text was misaligned on the Password PolicyAdd rule page. (OKTA-897943)

Okta Integration Network

  • Akitra (OIDC) is now available. Learn more.
  • AppsFlyer By Aquera (SCIM) is now available. Learn more.
  • Braintree (SAML) is now available. Learn more.
  • Braintree (SCIM) is now available. Learn more.
  • ContentHubGPT (SAML) is now available. Learn more.
  • HRBrain (SAML) is now available. Learn more.
  • HRBrain (SCIM) is now available. Learn more.
  • Speeda Business Insights (OIDC) is now available. Learn more.
  • Speeda Startup Insights (OIDC) is now available. Learn more.

Version: 2025.02.0

New look and feel in Access Certifications

In Access Certifications, the Access Certification Reviews app located on your dashboard now has a new look and feel, including a restyled top navigation bar and the addition of a gray background.

New System Log attributes

The PolicyName field was added to the policy.evaluate_sign_on System Log event. This change makes it easier for admins to identify the policy that was involved in user sign-in attempts.

Updated Features page description

The Features page now provides updated information about Okta's Privacy Policy and Free Trial Services.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready-to-use campaigns where Okta presets some default settings. See Access Certifications for admin roles.

Case numbers for impersonation events

When an org grants impersonation for a support case, the case number now appears in the System Log. See Give access to Okta Support.

System Log event for public client app admins

When an admin selects the Automatically assign the super admin role to all newly created public client apps checkbox on the Account page, the System Log now records an event.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Workday.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is now enabled by default for all orgs.

New browser tab reactivation behavior for the Sign-In Widget

The Sign-In Widget now avoids a full page refresh on custom domains when an inactive tab is reactivated. This change improves compatibility with browser memory saver features. This feature will be gradually made available to all orgs.

Sign in with duplicated email authenticators

Previously, users couldn't sign in if they had the same email enrolled twice as an authenticator. This change checks the status of each email authenticator and allows the user to sign in with the most suitable email authenticator.

Content security policy enforcement on end-user pages

Content Security Policy is now enforced for end-user pages in orgs with custom domains. Content Security Policy headers help detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Future iterations of the Content Security Policy enforcement for end-user pages will become stricter than this first release. This feature will be gradually made available to all orgs.

Okta ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints (OpenID Connect & OAuth 2.0, Okta Management, and MyAccount API). Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org.

Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints.

There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected entry now provides a descriptive reason for the event. See System Log.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org. See Monitor your apps.

Toggle password visibility on the Okta Sign-In page

End users can now toggle visibility of their password on the Sign-In Widget, allowing them to check their password before they click Sign In. Note that passwords are visible for 30 seconds and then hidden automatically. See Authentication. See Enable delegated authentication for LDAP.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps. See Manage Federation Broker Mode.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature. See Edit app provisioning settings.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy. See Office 365 sign-on rules options.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices. See Configure Device Authorization.

Null values for SCIM provisioning

Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management. See Manage profiles.

Manage admin email notification subscriptions using API endpoints

Admins can manage email subscriptions using the Admin Email Subscription API endpoints.

  • Super admins can configure default subscription settings by admin type.

  • All admins can manage their own admin email notification subscriptions.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later.

See Enforce Okta Device Trust for managed Windows computers and Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

Mobile tab available for mobile-capable apps

The Mobile tab available in the Okta Admin Console for mobile-capable OIN apps allows you to publish mobile applications to an App Store and deploy them to your end users.

Provisioning page UI element change

Drop-down menus on the Provisioning page (General Settings) were standardized.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search. See Set up and manage the LDAP Interface.