Okta Classic Engine release notes (Production)

Version: 2026.06.0

Salesforce provisioning support for PKCE

The Salesforce app integration now supports Proof Key for Code Exchange (PKCE) for OAuth 2.0 flows. This update ensures uninterrupted user provisioning and requires admins to update their Salesforce configuration to maintain service continuity.

Improved network zone error messages

The error message that appears when admins try to delete a network zone that's referenced by multiple policies or rules is now easier to read.

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Navigation label update for integration agents

The Agents label in the Admin Console has been renamed to Integration agents to provide a more intuitive experience. A dismissible link to the AI Agents page is also available on the Integration agents page to improve navigation.

Improved request details layout

The request details page now features an optimized layout for small screens to improve readability.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the [Okta Integration Network (OIN)] submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See [Publish an OIN integration overview] and [Submit an integration with the OIN Wizard] guide.

Links: 1. https://www.okta.com/integrations/ 2. https://developer.okta.com/docs/guides/submit-app-overview/ 3. https://developer.okta.com/docs/guides/submit-oin-app/scim/main/

SAP SuccessFactors OAuth 2.0 with SAML Assertion

The SAP SuccessFactors app integration now supports OAuth 2.0 with SAML Assertion for enhanced API security. To ensure your provisioning and sync processes continue without interruption, you must migrate to this new authentication method before SAP Basic Authentication deletion deadline on November 20, 2026. See Configure OAuth 2.0 with SAML for SAP SuccessFactors.

New System Log events for privileged access database integrations

Two new System Log events, pam.integration.create and pam.integration.delete, are now available for Okta Privileged Access database management. This enhancement allows admins to track when database integrations are created or deleted. See System Log.

• App integrations didn't populate user credentials for subdomains that used the /auth/v3/signin endpoint, preventing users from signing in to the app. (OKTA-1074055)

• Okta Expression Language expressions with array attributes didn't always behave as expected. (OKTA-1166566)

• The application.lifecycle.update System Log event didn't populate the changeDetails field when admins updated Active Directory app settings. (OKTA-1178325)

• Iden (API Service) has a new scope.

• Fleetclear (OIDC) is now available. Learn more.

• Dell PowerProtect Backup Services (API Service) is now available. Learn more.

• Kirin (SAML) is now available. Learn more.

Provisioning for Rapid7 InsightAppSec

Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.

• For a specific Active Directory integration, scheduled and manual incremental imports failed intermittently in Preview environments. This issue occurred after admins resumed a previously halted import block. (OKTA-1135003)

• During Group Push operations, Okta unexpectedly provisioned a non-Active Directory user into a target Active Directory group. (OKTA-1147204)

• When admins edited a custom admin role that included delegated flow Workflows permissions, Okta incorrectly prompted them to repeat step-up authentication. This issue blocked the changes and displayed a protected-action message. (OKTA-1169760)

• During Group Push operations, updates sometimes failed with an error message when the system processed group memberships. This issue caused synchronization to fail intermittently for specific push groups. (OKTA-1181698)

• Group Push operations to Jamf Pro sometimes failed. (OKTA-1183535)

• CodeSignal (SAML) is now available. Learn more.

• CodeSignal (SCIM) is now available. Learn more.

• Dell Power Protect Backup Services powered by Druva has the okta.deviceAssurance.manage and okta.behaviors.manage scopes.

• Kirin (SAML) is now available. Learn more.

• Mabyduck (OIDC) is now available. Learn more.

• Mabyduck now supports Universal Logout.

• Ocozzio Marketing Center (SAML) is now available. Learn more.

• Ocozzio Marketing Center (SCIM) is now available. Learn more.

• Risotto (SAML) is now available. Learn more.

• StackAdapt (SCIM) is now available. Learn more.

• X (Twitter) (SWA) was updated.