Okta Classic Engine release notes (Production)

January
December
November

Version: 2026.01.0

January 2026

Generally Available

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

OAuth 2.0 scopes automatically assigned to API integrations

Now when you add an API integration to your org, Okta automatically assigns the required OAuth 2.0 scopes to the app.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

The View Setup Instructions button has been relocated to optimize the visual layout.
A new display option has been added to visualize parent and child domain relationships.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Early Access

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Fixes

The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)
In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)
Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)
In some orgs, resource access policy rules didn't take effect immediately after being updated. (OKTA-1071402)
Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)
When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)
JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)
In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)
Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)
In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)
When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

Dokio (SCIM) is now available. Learn more.
Kuranosuke (SAML) is now available. Learn more.
LINE WORKS (SCIM) is now available. Learn more.
SciLeads Portal (OIDC) is now available. Learn more.
SciLeads Portal (SCIM) is now available. Learn more.
ShareCal (SCIM) is now available. Learn more.
ShareCal (SAML) was updated with a new logo.
Humana Military (SWA) was updated.
Xint (OIDC) added new IDP flow.
cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.
Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)
When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)
When an admin updated the agent pool, an error occurred if the agentType was missing. (OKTA-1071106)
When an admin reactivated a user through an Active Directory import, the System Log didn't record the event. (OKTA-1071233)
When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)
For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI.

Okta Integration Network

Seismic (SCIM) is now available. Learn more .
OX Security (OIDC) is now available. Learn more .
Skedda (SCIM) is now available. Learn more .
Jotform (SCIM) is now available. Learn more .
Planhat (SCIM) is now available. Learn more .
Safety AZ (OIDC) is now available. Learn more .
Exabeam (SAML) is now available. Learn more .
101domain (OIDC) is now available. Learn more .
OX Security (OIDC) now supports Universal Logout.
Skedda (SAML) has a new description, icon, and configuration guide.
Obsidian Security (SAML) has a new configuration guide, attribute, and app description.
Planhat (SAML) has a new integration guide.
Exaforce (API Service) now has the okta.idps.read scope.
Seismic (SAML) has a new logo, app description, and configuration guide.
BridgeBank Business eBanking (SWA) was updated.
Humana Military (SWA) was updated.
Jotform (SAML) was updated.
Scalefusion OneIdP (SCIM) was updated.

Version: 2025.12.0

December 2025

Generally Available

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 3.0.6 and Okta Provisioning agent SDK 3.0.6 are now available. This release contains the following:

The maxItemsPerPage is now configurable to meet your specific requirements.
Memory optimizations and other minor improvements.

Allow profile updates for deactivated users

Super admins can now choose to allow updates to profile attribute values for deactivated users, ensuring their profiles remain current. See Edit deactivated user profiles.

Okta LDAP agent, version 5.25.0

This version of the agent includes security enhancements.

Nonce rollout for Content Security Policy

Okta is removing unsafe-eval from the script-src directive of Content-Security-Policy for every endpoint that returns html content. These are endpoints that you can't customize and whose Content-Type response header is text/html. This is a two-stage process: first, unsafe-eval is removed from the Content-Security-Policy-Report-Only header's script-src directive; later, after any violations of unsafe-eval instances are fixed, unsafe-eval is removed from the Content-Security-Policy response header script-src directive.

This update will be gradually applied over several months, until all endpoints enforce the new Content-Security-Policy, which means this change will span several releases.

Changes to preview user functionality

On the User page of the campaign wizard, Preview user is now called Preview expression scope. When you preview a user, Okta only validates the user against the Okta Expression Language expression that you specified. A user who matches the expression but isn't assigned to a resource in the campaign won't be included in the campaign.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Support for Microsoft 365 GCC environment

Okta now supports the Microsoft Office 365 Government Community Cloud (GCC) environment. You can now use the Microsoft Office 365 app to configure Single Sign-On and provisioning for GCC tenants.

Enhanced import monitoring with real-time updates

You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.

OAuth grant type options for custom apps

Now when you configure SCIM provisioning for a custom SWA or SAML app with OAuth 2, you can set the grant type to Authorization code or Client credentials. See Add SCIM provisioning to app integrations.

Enhanced provisioning support for Office 365 Entitlement Management

When Entitlement Management is enabled for the Office 365 app, you can now use all four provisioning options: licenses/role management, profile sync, user sync, and universal sync.

Improved realm picker access

The realm picker now automatically filters to display up to five realms that only an admin can access.

System Log updates for security.request.blocked events

When security.request.blocked events are triggered by dynamic or enhanced dynamic network zones, the System Log now populates the client.zone field.

Delegated flow updates

Delegated flows now include a Caller input field. This allows you to pass more information to a flow that was called from another Okta product. For example, the requestID from Access Requests is now passed to the delegated flow. See Build a delegated flow.

Early Access

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Governance for Workflows now available in EA

You can now use Okta Identity Governance to manage access to Workflows roles. This helps you ensure that access to Workflows is granted consistently and in compliance with your company's requirements. See Governance for Workflows.

Breached credentials protection

Breached credentials protection is now available for Federal customers.

Enable custom admin roles for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Fixes

Imports sometimes failed during the user match stage. This happened because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)
Group push sometimes failed during deployments. (OKTA-941489)
The SCIM 2.0 User update operation sent an empty object when multi-value roles were configured and one of the roles or attributes was undefined or null for the user. (OKTA-945579)
When admins created a linked group, no description was displayed. (OKTA-996729)
When an import exceeded the app unassignment limit, the Learn More link resulted in an error. Additionally, the App assignment removal limit link incorrectly redirected to the main Assignments tab instead of the Import Safeguard configuration settings. (OKTA-1010606)
A misleading error appeared in the System Log when admins selected Refresh Application Data for CSV Directory integrations. The system attempted to download unsupported custom objects, generating an error even though the import completed successfully. (OKTA-1011439)
The MFA Enrollment by User report displayed an "Unexpected response" error when loading the Enrollment by Authenticator Type dynamic chart. (OKTA-1030846)
Users with a custom admin role were unable to confirm assignments in Active Directory. (OKTA-1034364)
When configuring OIDC identity providers in the Admin Console, admins couldn't set the issuerMode property because it was missing. (OKTA-1035016)
Active Directory imports failed with an Incorrect result size error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
Sometimes, clicking Retry Selected to retry information tasks incorrectly resulted in a failure. (OKTA-1043901)
DirSync jobs continued to be scheduled for Office 365 instances even after provisioning was disabled. (OKTA-1059506)
The state of the Include Groups in RADIUS response checkbox didn't update correctly when Radius agents were configured to send multiple group response attributes. (OKTA-1060165)
There were several alignment issues on the user profile > Admin roles tab and throughout the Administrators pages. (OKTA-1061753)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)

Okta Integration Network

Svix (OIDC) is now available. Learn more.
OpenPolicy (SCIM) is now available. Learn more.
Coalition Control has a new integration guide.
Practising Law Institute (SWA) was updated. (OKTA-1063963)
Clearout.io (OIDC) has updated use cases and a new Initiate login URI. Learn more.
Svix now supports Universal Logout.
Harmony SASE (SCIM) has been updated with new regions.

Weekly Updates

2025.12.1: Update 1 started deployment on January 5

Generally Available

Event hooks for app provisioning and imported changes events

You can now use event hooks for the Okta events that provision app users and import changes from apps. The following events are now event hook eligible:

application.provision.user.push_profile
application.provision.user.push
application.provision.user.reactivate
application.provision.user.import_profile
app.user_management.user_group_import.upsert_success

See Event Types.

Fixes

Imports sometimes failed during the user match stage because internal transactions were unable to acquire the necessary database locks. (OKTA-868327)
Attempts to build the Okta Provisioning Connector SDK (version 02.04.00) example server failed with a dependency resolution error. (OKTA-1021402)
Active Directory imports failed with an "Incorrect result size" error when DirSync was enabled. This occurred because creating a new group in Active Directory generated duplicate entries during the import process. (OKTA-1043592)
In some orgs, after assigning a group to an app, any users in the group that failed to be activated in the downstream app weren't able to access the app from their End-User Dashboard, and the task to retry the activation was inadvertently hidden. (OKTA-1060837)
When security.request.blocked events were triggered by IP zones, the client.zone field wasn't populated in the System Log. (OKTA-1060987)
Recent UI changes prevented some admins from accessing the Account page. (OKTA-1062156)
The Add a domain to Office 365 link in the Office 365 manual federation instructions pointed to an invalid URL. (OKTA-1068862)
Updates to user entitlements in JDBC applications failed to sync to the remote profile. This occurred when a user was re-imported without any changes to their profile data. (OKTA-1070338)
The PagerDuty app integration didn't use the correct Universal Logout endpoint. (OKTA-1070647)
Some UI elements in the Encryption keys section of the authorization server Settings tab didn't render correctly. (OKTA-1075244)

Version: 2025.11.0

November 2025

Generally Available

Manage agents permission granted to certain roles

Custom admin roles with the View application and their details permission now have the View agents permission. This is a temporary change that helps Okta separate the two permissions in a future release. See Role permissions.

New System Log event for AD agent changes

The System Log event system.agent.ad.config.change.detected reports when Okta support modified an AD agent configuration.

Custom domains and certificates

Okta now supports the use of SHA 384 and SHA 512 signed certificates for custom domains. See Configure a custom domain.

Okta Active Directory agent, version 3.22.0

This release includes LDAPS support and bug fixes. See Okta Active Directory agent version history.

Network restrictions for OIDC token endpoints is GA in Production

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Export Okta Identity Governance reports in PDF format

You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.

Changes to the Okta Sign-In Widget UI

The Okta Sign-In Widget (first and second generation) now uses the native Select component for dropdown elements. These UI elements have a new appearance, and the dropdown search functionality is no longer available.

Behavior Detections for new ASN

Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.

Enhanced security for Okta Access Requests web app

The Okta Access Requests web app now performs policy evaluations before granting new access tokens.

Early Access

Submit entitlement management integrations

Independent Software Vendors (ISVs) can now submit SCIM 2.0-based entitlement management integrations to the Okta Integration Network (OIN). This enhancement enables customers and IT admins to discover, manage, and assign fine-grained entitlements such as roles and permissions directly from Okta. By standardizing entitlement management, organizations can automate access assignments and streamline Identity Governance, ensuring users receive the right access and roles without manual intervention. For more information, see Submit an integration with the OIN Wizard.

Fixes

The Authentication of user via MFA System Log event didn't display the IP address and client information. (OKTA-979214)
AD password resets sometimes failed with an exception. (OKTA-1004233)
When interacting with the Access Request web app using Safari browser, users couldn't tag another user with @ in the request's chat. (OKTA-1005685)
Deleted request types sometimes reappeared if the org had the Unified Requester Experience feature enabled. (OKTA-1040545)
When the LDAP agent installer successfully registered the agent but the installation failed, the agent incorrectly appeared as operational. (OKTA-1045661)

Okta Integration Network

Harmony now has the okta.users.manage, okta.groups.read, and okta.groups.manage scopes.
Valos (OIDC) has a new redirect URI. Learn more.
Chronicle of Higher Education (SWA) was updated.
1VALET (SAML) has updated attribute statements.
Fabrix Smart Actions (API Service) now has the okta.groups.manage scope.
Boston Properties (SWA) was updated.
Holistiplan SSO (SAML) is now available. Learn more.
Mimecast Human Risk Integration (API Service) is now available. Learn more.
Aglide (SAML) is now available. Learn more.
Aglide (SCIM) is now available. Learn more.
SmarterSign Digital Signage (OIDC) is now available. Learn more.
SmarterSign Digital Signage (SCIM) is now available. Learn more.

Weekly Updates

2025.11.1: Update 1 started deployment on November 13

Generally Available

Partner Admin Portal App Switcher

In the Partner Admin Portal, you can now use the App Switcher to navigate to your apps.

Fixes

Okta authentication requests for some orgs resulted in high latency and database CPU spikes when a user's email address in the request started with a space. (OKTA-627502)
Users @mentioned in an access request Slack thread didn't receive a notification unless they were already a follower of the request. (OKTA-1053390)
The Edit resource set page didn't load if the resource set included a deleted resource. (OKTA-1030613)
When an AD integration had DirSync enabled, the user's manager and Group owners didn't get updated during an incremental import. (OKTA-1047146)

Okta Integration Network

Ziflow has a new icon.
Valence (SAML) was updated.
Extreme Platform ONE Security API Service (API Service Integration) is now available. Learn more.
Clever (District Administrator Login) (SWA) was updated.
DynaMed (SAML) is now available. Learn more.
Intercom now supports Group Push.

2025.11.2: Update 2 started deployment on December 2

Fixes

An error was returned if the cursor type for Stored Procedures wasn't REFCURSOR. (OKTA-1048452)

Okta Integration Network

LegalOn (Japan) (SAML) was updated.
Lyster (OIDC) is now available. Learn more.
Canva (SWA) was updated.
Rubrik Security Cloud (API Service Integration) is now available. Learn more.
Veraproof SSO (OIDC) is now available. Learn more.
Lumen5 (SAML) is now available. Learn more.
Cloudflare One (OIDC) is now available. Learn more.

2025.11.3: Update 3 started deployment on December 8

Fixes

An error was returned if the cursor type for Stored Procedures wasn't REFCURSOR. (OKTA-1048452)

Okta Integration Network

LegalOn (Japan) (SAML) was updated.
Lyster (OIDC) is now available. Learn more.
Canva (SWA) was updated.
Rubrik Security Cloud (API Service Integration) is now available. Learn more.
Veraproof SSO (OIDC) is now available. Learn more.
Lumen5 (SAML) is now available. Learn more.
Cloudflare One (OIDC) is now available. Learn more.