Okta Classic Engine release notes (Production)

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

  • The maxItemsPerPage is now configurable to meet your specific requirements.
  • Memory optimizations and other minor improvements.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Fixes

  • Imports sometimes failed during the user match stage. This happened because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)

  • Group push sometimes failed during deployments. (OKTA-941489)

  • The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)

  • When admins created a linked group, no description was displayed. (OKTA-996729)

  • When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)

  • A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)

  • The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)

  • Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)

  • When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)

  • Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)

  • Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)

  • DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)

  • The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)

  • There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)

  • Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

  • Svix (OIDC) is now available. Learn more.

  • OpenPolicy (SCIM) is now available. Learn more.

  • Coalition Control has a new integration guide.

  • Practising Law Institute (SWA) was updated. (OKTA-1063963)

  • Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.

  • Svix now supports Universal Logout.

  • Harmony SASE (SCIM) has been updated with new regions.

Version: 2025.11.0

November 2025

Generally Available

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the View agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration.

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Network restrictions for OIDC token endpoints is GA in Production

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Changes to the Okta Sign-In Widget UI

The Okta Sign-In Widget (first and second generation) now uses the native Select component for dropdown elements. These UI elements have a new appearance, and the dropdown search functionality is no longer available.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Early Access

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Fixes

  • The Authentication of user via MFA System Log event didn't display the IP address and client information. (OKTA-979214)

  • AD password resets sometimes failed with an exception. (OKTA-1004233)

  • When interacting with the Access Request web app using Safari browser, users couldn't tag another user with @ in the request's chat. (OKTA-1005685)

  • Deleted request types sometimes reappeared if the org had the Unified Requester Experience feature enabled. (OKTA-1040545)

  • When the LDAP agent installer successfully registered the agent but the installation failed, the agent incorrectly appeared as operational. (OKTA-1045661)

Okta Integration Network

  • Harmony now has the okta.users.manage, okta.groups.read, and okta.groups.manage scopes.

  • Valos (OIDC) has a new redirect URI. Learn more.

  • Chronicle of Higher Education (SWA) was updated.

  • 1VALET (SAML) has updated attribute statements.

  • Fabrix Smart Actions (API Service) now has the okta.groups.manage scope.

  • Boston Properties (SWA) was updated.

  • Holistiplan SSO (SAML) is now available. Learn more.

  • Mimecast Human Risk Integration (API Service) is now available. Learn more.

  • Aglide (SAML) is now available. Learn more.

  • Aglide (SCIM) is now available. Learn more.

  • SmarterSign Digital Signage (OIDC) is now available. Learn more.

  • SmarterSign Digital Signage (SCIM) is now available. Learn more.

Weekly Updates

2025.11.1: Update 1 started deployment on November 13

Generally Available

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Fixes

  • Okta authentication requests for some orgs resulted in high latency and database CPU spikes when a user's email address in the request started with a space. (OKTA-627502)

  • Users @mentioned in an access request Slack thread didn't receive a notification unless they were already a follower of the request. (OKTA-1053390)

  • The Edit resource set page didn't load if the resource set included a deleted resource. (OKTA-1030613)

  • When an AD integration had DirSync enabled, the user's manager and Group owners didn't get updated during an incremental import. (OKTA-1047146)

Okta Integration Network

  • Ziflow has a new icon.

  • Valence (SAML) was updated.

  • Extreme Platform ONE Security API Service (API Service Integration) is now available. Learn more.

  • Clever (District Administrator Login) (SWA) was updated.

  • DynaMed (SAML) is now available. Learn more.

  • Intercom now supports Group Push.

2025.11.2: Update 2 started deployment on December 2

Fixes

  • An error was returned if the cursor type for Stored Procedures wasn't REFCURSOR. (OKTA-1048452)

Okta Integration Network

  • LegalOn (Japan) (SAML) was updated.

  • Lyster (OIDC) is now available. Learn more.

  • Canva (SWA) was updated.

  • Rubrik Security Cloud (API Service Integration) is now available. Learn more.

  • Veraproof SSO (OIDC) is now available. Learn more.

  • Lumen5 (SAML) is now available. Learn more.

  • Cloudflare One (OIDC) is now available. Learn more.

2025.11.3: Update 3 started deployment on December 8

Fixes

  • An error was returned if the cursor type for Stored Procedures wasn't REFCURSOR. (OKTA-1048452)

Okta Integration Network

  • LegalOn (Japan) (SAML) was updated.

  • Lyster (OIDC) is now available. Learn more.

  • Canva (SWA) was updated.

  • Rubrik Security Cloud (API Service Integration) is now available. Learn more.

  • Veraproof SSO (OIDC) is now available. Learn more.

  • Lumen5 (SAML) is now available. Learn more.

  • Cloudflare One (OIDC) is now available. Learn more.

Version: 2025.10.0

October 2025

Generally Available

Okta Active Directory Password Sync agent, version 1.7.0

This version of the agent includes security enhancements.

New look and feel for delegated flows

On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.

Euskara (Basque) language translations for end users

In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.

New VPN service for enhanced dynamic zones

The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.

Error message update

The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.

Create user permission conditions

You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. This update strictly enforces that admins must have explicit Create user permissions for a specific group to perform this action. See Permission conditions.

User status in Okta Expression Language

You can now reference User Status in the Okta expression language. Group Rules can leverage user statuses to drive group membership.

SharePoint On-Premises integration supports SHA-256

SharePoint integrations (WS-Fed) now use SHA-256 for signing the authentication token.

Group Push Linking for Microsoft Office 365

The Group Push feature in the Microsoft Office 365 integration has been enhanced to link existing Okta groups with existing Entra groups.

This change establishes Okta as the single source of truth for group membership. Once linked, the membership changes made in Okta are pushed automatically, ensuring consistency and seamless access control.

Supporting additional attributes in O365's Universal Sync provisioning

To enable seamless access to Kerberos resources through Windows Hello for Business and to help you manage data based on geographies, Okta now supports four additional attributes in O365's Universal Sync provisioning.

  • onPremisesSamAccountName
  • onPremisesDomainName
  • onPremisesUserPrincipalName
  • PreferredDataLocation

Okta Integration IdP type

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration identity provider.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Early Access

Fixes

  • Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)

  • Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)

  • SAML assertions were encrypted if they included the oktaAuthPayload parameter even though encryption wasn't enabled on the app. (OKTA-998820)

  • In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)

  • In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)

Okta Integration Network

  • Paychex Online was updated.

  • Ravenna is now available (API Service Integration). Learn more.

  • zkipster was updated.

Doc Updates

Okta Aerial documentation

Documentation for Okta Aerial has been added to Okta Documentation with the following updates:

  • Aerial card added to the home page.
  • Aerial option added to Documentation dropdown list.
  • Aerial release notes added to Release notes dropdown list.

Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.

Weekly Updates

2025.10.1: Update 1 started deployment on October 13

Generally Available

Recent searches displayed in search field

Now when you select the Admin Console search field, a list of your recent searches appears. This helps you quickly find the users, apps, and groups that you frequently search for.

New IP service categories supported

There are new IP service categories for network zones supported by Okta. See Supported IP service categories for a complete list.

Fixes

  • When users accessed the Microsoft ADFS app and authenticated with Okta Verify, the System Log didn't show the app name in the Targets column. (OKTA-906244)

  • The System Log didn't display failed authentication attempts when they were initiated from SAML apps with external IdPs. (OKTA-1014150)

  • In orgs with JIT enabled, staged Active Directory (AD) users were prompted to change their password even it wasn't required by their org's AD password policy. (OKTA-1020693)

  • Sometimes multiple duplicate group.user_membership.remove System Log events were fired when a user was removed from a group. (OKTA-1031604)

  • When the AD DirSync feature was enabled but not configured, AD group membership removals weren't reflected in Okta following an incremental import. (OKTA-1040614)

Okta Integration Network

  • Exaforce has a new integration guide and additional use cases.

  • Ravenna is now available (API Service Integration). Learn more.

  • Grafana Labs is now available. Learn more.

  • Realty.com Portal (OIDC) is now available. Learn more.

  • Realty.com Portal (SCIM) is now available. Learn more.

2025.10.2: Update 2 started deployment on November 3

Generally Available

Okta Provisioning agent, version 3.0.5

Okta Provisioning agent 3.0.5 is available. The httpConnectionTimeoutInMs and httpSocketTimeoutInMs properties are now configurable to meet your specific requirements.

New IP service categories

PLAINPROXIES_PROXY, FINE_VPN and URBAN_VPN are now supported as IP service categories in enhanced dynamic zones. See Supported IP service categories for a complete list.

Fixes

  • When token encryption was enabled for an app or authorization server, the System Log didn't record when a token was successfully minted. (OKTA-954232)

  • User sync to O365 failed if the Usage location was updated after the license was assigned. (OKTA-1017269)

  • Users' metadata wasn't updated after they authenticated through AD delegated authentication. (OKTA-1031477)

  • The LegacyIPZone wasn't saved if gateway IPs and trusted proxy IPs were empty. (OKTA-1032603)

  • Some UI elements on the Identity Providers page weren't in the correct location. (OKTA-904304)

  • In Workflows, the Okta Connector app didn't display a list of available connector actions. (OKTA-946866)

  • The Add Resource dialog didn't display resources that had three or fewer characters. (OKTA-1030065)

  • When admins tried to add new values to the attributes in a user profile, the system failed to save the changes. (OKTA-1037440)

Okta Integration Network

  • IdentiGuard (API Service Integration) is now available. Learn more.

  • ChatFin (OIDC) is now available. Learn more.

  • Rowan Security (OIDC) is now available. Learn more.

  • Biome SCIM (SCIM) is now available. Learn more.

  • Qualified.io (SCIM) is now available. Learn more.

  • Meraki was updated.

  • Qualified.io (SAML) has a new icon and integration guide. Learn more.

  • Exaforce has a new integration guide and additional use cases.

  • Ariba Network (SWA) was updated.