Okta Classic Engine release notes (Production)

Version: 2026.05.0

May 2026

Generally Available

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

  • Okta usage
  • Application usage
  • MFA usage

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

Network zone residential proxy detection

This feature adds new zones associated with Enhanced Dynamic Network Zones beyond anonymous proxies and VPNs. Customers can use service categories such as ZSCALER_PROXY, PERIMETER_81, and more. See Supported IP service categories.

Fixes

  • After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)

  • AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)

  • On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)

  • Manual remediation was required when reviewers revoked a user's access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

  • Asset Integrity for Pipelines (OIDC) is now available. Learn more.

  • CJ Affiliate (OIDC) is now available. Learn more.

  • Conduit Security (OIDC) is now available. Learn more.

  • Form (OIDC) is now available. Learn more.

  • Harmony (SAML) is now available. Learn more.

  • Harmony (SCIM) is now available. Learn more.

  • Haystack (SCIM) is now available. Learn more.

  • JumpCloud (OIDC) is now available. See JumpCloud.

  • LinkedIn Sales Navigator (SCIM) is now available. Learn more.

  • Magnite Streamr (OIDC) is now available. Learn more.

  • Matik (SAML) is now available. Learn more.

  • Matik (SCIM) is now available. Learn more.

  • Syndio (OIDC) is now available. Learn more.

  • Tandem Health (OIDC) is now available. Learn more.

  • Ternary (OIDC) is now available. Learn more.

  • ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.

  • TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

  • Truepic Vision (OIDC) is now available. Learn more.

  • WideField Security - Detect and Remediate (API integration) is now available. Learn more.

  • YipitData Agent (OIDC) is now available. Learn more.

  • Yunu (OIDC) is now available. Learn more.

  • Console (API Service) has a new icon and description.

  • Console (OIDC) has a new app description.

  • Sastrufy has a new app name and a new configuration guide.

  • Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.

  • Suger (OIDC) has a new Redirect URI.

  • Matik (Basic Auth) was updated.

  • Metlife MyBenefits (SWA) was updated.

  • TOPdesk Operator by FuseLogic (SCIM) was updated.

Version: 2026.04.0

April 2026

Generally Available

Slack integration for Identity Governance

Okta for Government Moderate and Government High customers who use commercial Slack instances can now integrate Slack with their org to streamline access management in Access Requests and Access Certifications. Users can now submit and approve requests in Slack as well as receive Slack notifications for access requests and certification campaigns. Feature availability varies depending on whether the Unified requester experience feature is enabled. See Okta Identity Governance Limitations for Public Sector Service and Integrate Slack.

Custom admin permissions for inline and event hooks

The inline hook and event hook framework now supports read and write permissions for custom admin roles. This enhancement gives fine-grained access to manage inline and event hooks that previously required the super admin role. See Role permissions.

Okta Active Directory Federation Services (ADFS) Plugin version 1.8.4

This version includes bug fixes and security updates.

Provisioning for MuleSoft Anypoint Platform

Admins can now automate user lifecycle management for the MuleSoft Anypoint Platform app. This integration supports creating, updating, and deactivating users, and pushing groups as teams. See MuleSoft Anypoint Platform provisioning

Increase to the maximum access duration limit

When you create or edit access request conditions, you can now set the Access duration field to a maximum of 365 days or 52 weeks.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Early Access

Radius Agent version 2.5

This version includes internal improvements and fixes.

IBM Db2 LUW support for On-premises Connector for Generic Databases

The On-premises Connector for Generic Databases now supports IBM Db2 LUW. This enables admins to manage users and entitlements in IBM Db2 LUW environments. See On-premises Connector for Generic Databases.

Fixes

  • Data was missing from the policy.rule.update System Log event. (OKTA-888091)

  • Apps created from the On-premises Connector for Generic Databases incorrectly appeared on the End-User Dashboard. Clicking the app resulted in an invalid redirect because the connector doesn't support SSO. (OKTA-1076893)

  • An incorrect error message was displayed when a Bidirectional Group Management issue occurred. (OKTA-1104305)

  • When an admin used a JDBC on-premises app, provisioning failed with a Requires a successful schema discovery error on the Provisioning tab. (OKTA-1124752)

  • When an admin deactivated a Group Push mapping rule, membership updates stopped for previously matched groups. (OKTA-1125151)

  • When a DirSync import failed with a permission error, the agent was operational but had the Disruption label in the Admin Console. (OKTA-1128087)

Okta Integration Network

  • Dokio now supports an additional custom attribute.

  • Reftab Discovery (API Service) now supports the Groups Read scope.

  • ZoomInfo (SCIM) was updated.

Weekly Updates

2026.04.1: Update 1 started deployment on April 13

Generally Available

Provisioning for Informatica Cloud

Provisioning is now available for the Informatica Cloud app integration. When you provision the app, you can enable security features like Entitlement Management. See Informatica Cloud.

Fixes

  • The AuthnRequestId field wasn't included in authorization code flow and device code flow token request events in the System Log. (OKTA-1082636)

  • When an admin created an LDAP integration in an Admin Console where French was the selected language, "LDAP Server(s)" was improperly translated. (OKTA-1106969)

  • Some event hooks failed to send live events because the target URL was incorrectly encoded. (OKTA-1111770)

  • The Add resource window displayed outdated icons. (OKTA-1125857)

  • In some orgs, users who hadn't finished activating their accounts saw a 500 Internal Server Error when they tried to sign in, instead of being prompted to complete their account activation. (OKTA-1145737)

Okta Integration Network

  • DynaMed Decisions (OIDC) is now available. Learn more.

  • Gearset (SAML) is now available. Learn more

  • Groniva (OIDC) is now available. Learn more.

  • Kymata (OIDC) is now available. Learn more.

  • Liz Smart Office (OIDC) is now available. Learn more.

  • Raptor Technology (OIDC) is now available. Learn more.

  • Wordsmith AI (OIDC) is now available. Learn more.

  • Wordsmith AI (SCIM) is now available. Learn more.

  • Sastrify now supports Express Configuration.

  • Wirespeed (API) now supports the okta.users.read scope. Learn more.

  • Linktree (SWA) was updated.

2026.04.2: Update 2 started deployment on April 20

Generally Available

Provisioning for OneLogin

Admins can now automate user lifecycle management for the OneLogin app. This integration uses OAuth-based authentication to support user provisioning, profile updates, and deactivation directly from Okta. See Create a OneLogin SCIM integration.

Provisioning for HashiCorp Cloud Platform

Provisioning is now available for the HashiCorp Cloud Platform app integration. When you provision the app, you can enable security features like Entitlement Management. See HashiCorp Cloud Platform .

Fixes

  • During profile mapping, the cache sometimes became stale and the updated profile mapping wasn't saved. (OKTA-1043935)

  • When an org with a large number of OUs configured an Okta group for AD provisioning, the OUs weren't properly displayed in the provision configuration form. (OKTA-1116250)

  • When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)

Okta Integration Network

  • OneLogin (OIDC) is now available. See Create a OneLogin OIDC Integration.

  • Twilio (SAML) is now available. Learn more.

  • V7 Go (OIDC) is now available. Learn more.

  • Cisco Identity Intelligence - Read-Write Management API Service (API Service Integration) now supports okta.serviceAccounts.read and okta.networkZones.read.

  • Google Cloud Workforce Identity Federation (OIDC) now supports Group claims.

  • Google Cloud Workforce Identity Federation (SAML) now supports IdP Initiated Flow.

2026.04.3: Update 3 started deployment on May 5

Generally Available

Okta On-Prem SCIM Server agent, version 1.8.0

Okta On-prem SCIM Server agent 1.8.0 is available. This version of the agent introduces support for single-value entitlements in SCIM 2.0. Admins can now implement a cardinality policy using the Okta SCIM resource extension to restrict specific entitlements to a single value.

Fixes

  • When users were added to a group using a CSV file, a processing issue occurred during Group Push that resulted in missing users in the downstream org. (OKTA-1045473)

  • The OIE upgrade validator incorrectly displayed a warning for some orgs with MFA enrolment policies that included app conditions. (OKTA-1112912)

  • When an admin reset a user's Okta Verify authenticator, the resulting email notification was sent from the custom domain instead of the default domain. (OKTA-1129391)

  • Inline hooks intermittently failed with a connection error before a response could be received. (OKTA-1030671)

  • Some admins saw an error message when they clicked Save on the General Settings page of their OIDC app. The System Log showed multiple duplicate successful update entries even though the app settings weren't saved. (OKTA-1161655)

Okta Integration Network

  • Augment Code (OIDC) is now available. Learn more.

  • Clarion by Cantina (API Service) is now available. Learn more.

  • Data Residency and AI Data Protection for Okta (API Service) is now available. Learn more.

  • FleetDM is now available. Learn more.

  • Fullcast (OIDC) is now available. Learn more.

  • License Logic (API Service) is now available. Learn more.

  • My Bright Horizons (OIDC) is now available. Learn more.

  • myMobilityHQ (OIDC) is now available. Learn more.

  • Quickture (OIDC) is now available. Learn more.

  • Scaleflex VXP (SAML) is now available. Learn more.

  • Sinch (SAML) is now available. Learn more.

  • Ysis (OIDC) is now available. Learn more.

  • Kpler now supports Express Configuration.

  • My Bright Horizons now supports Express Configuration.

  • myMobilityHQ now supports Express Configuration.

  • X (Twitter) (SWA) was updated.

Version: 2026.03.0

March 2026

Generally Available

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

  • You couldn't search for and select users with Provisioned, Active, Recovery, Password Expired, or Locked out status when assigning a step in an approval sequence and in request types. (OKTA-944822)

  • Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)

  • When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)

Okta Integration Network

  • Guardare (SAML) is now available. Learn more.

  • Valence Remediation (API) is now available. Learn more.

  • Cato Networks Provisioning now supports user imports and updates.

  • PerimeterX now supports SAML.

  • PerimeterX now supports SCIM.

  • Druva Data Security Cloud (API Service) now has the okta.clients.read scope.

  • Natoma has a new app icon.

  • Adobe Creative (SWA) was updated.

  • Adobe Fonts (SWA) was updated.

Weekly Updates

2026.03.1: Update 1 started deployment on March 16

Generally Available

Fixes

  • An error occurred when an admin attempted to add a duplicate SWA integration. (OKTA-600590)

  • When DirSync was enabled, AD incremental imports removed group description values in Okta. (OKTA-1108167)

  • When an admin integrated an app through the API, some of the custom SSO properties didn't populate on the integration page. (OKTA-1109692)

  • The Add Resource dialog couldn't load more users or groups if the search term included special characters. (OKTA-1114749)

  • When an admin pressed the Enter key to select a recent spotlight search result, the search field disappeared. (OKTA-1115374)

  • The Microsoft Teams app integration incorrectly redirected users to an outdated URL during the Secure Web Authentication (SWA) flow. (OKTA-1117744)

  • Workflows admins couldn't edit their admin email notifications. (OKTA-1119296)

  • When admins provisioned users, incremental synchronizations for permission sets failed. The connector pushed duplicate permission set assignments, which resulted in errors for sets already assigned to the user. (OKTA-1121168)

  • Admins could initiate temporary password resets for users sourced from Okta, Active Directory (AD), or LDAP, bypassing the password policy that disabled self-service password reset. (OKTA-1122913)

Okta Integration Network

  • CyberProof Threat Exposure Management Platform (API integration) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SAML) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (SCIM) is now available. Learn more.

  • Sensor Tower (SAML) is now available. Learn more.

  • YakChat (OIDC) is now available. Learn more.

  • Google Cloud Workforce Identity Federation (OIDC) has a new Redirect URI. Learn more.

  • JetBrains (SWA) was updated.

2026.03.2: Update 2 started deployment on March 23

Generally Available

Okta Provisioning agent, version 3.1.0

Okta Provisioning agent 3.1.0 is now available. This version introduces strict SCIM error validation to ensure standard compliance and resolves an issue that prevented the agent from starting. See Okta Provisioning agent and SDK version history.

Fixes

  • The Go to Profile Editor and Force Sync buttons weren't disabled for read-only admins. (OKTA-1031561)

  • In orgs with SAML Okta Org2Org integrations, the Sign-In Widget sometimes displayed incorrect user information. (OKTA-1102232)

  • After an update, the Okta Provisioning Agent failed to start due to a permission error on the bundled Java binary. (OKTA-1110701)

  • Brackets in OIN display names didn't appear on the app integration pages. (OKTA-1122916)

  • When a SCIM server returned a 404 Not Found error during an on-premises provisioning import, the agent interpreted the error as a completed import. This resulted in a partial import that deprovisioned some users. (OKTA-1123270)

  • On the Administrators > Admins tab, the info icon was missing for admins with more than 10 role assignments. (OKTA-1125121)

Okta Integration Network

  • Brellium (OIDC) is now available. Learn more.

  • Brellium (SCIM) is now available. Learn more.

  • Doppel (OIDC) is now available. Learn more.

  • Draftwise (SAML) is now available. Learn more.

  • Guardare - EU (SAML) is now available. Learn more.

  • Portnox (OIDC) is now available. Learn more.

  • Doppel (OIDC) now supports Express Configuration.

  • Doppel (OIDC) now supports Universal Logout.

  • IdentiGuard (API Service) now has the okta.users.read and okta.factors.read scopes.

  • 6sense legacy (SAML) was updated.

  • Google Cloud Workforce Identity Federation was updated.

  • Jack Henry & Associates Client Portal (SWA) was updated.

  • Observe.AI (SCIM) was updated.

  • UPS (SWA) was updated.

  • ZoomInfo (SCIM) was updated.

2026.03.3: Update 3 started deployment on March 30

Generally Available

Provisioning for ThoughtSpot

Provisioning is now available for the ThoughtSpot app integration. When you provision the app, you can enable security features like Entitlement Management. See ThoughtSpot.

Jamf Pro User Enrollment provisioning

Admins can automate user lifecycle management and use OAuth-based authentication to support user provisioning, profile updates, and deactivation. This integration also supports importing users and pushing groups from Okta to Jamf Pro User Enrollment. See Jamf Pro User Enrollment.

Okta Integration Network

  • Archlet (OIDC) is now available. Learn more.

  • Archlet (Staging) (OIDC) is now available. Learn more.

  • Brevity (SCIM) is now available. Learn more.

  • Jamf Admin Access (OIDC) is now available. Learn more.

  • Parabol (SCIM) is now available. Learn more.

  • Tiled (SAML) is now available. Learn more.

  • Archlet (Staging) now supports Express Configuration.

  • Archlet (Staging) now supports Universal Logout.

  • Archlet now supports Express Configuration.

  • Jamf Admin Access now supports Express Configuration.

  • Jamf Admin Access now supports Universal Logout.

  • Tiled now supports SCIM.

  • Brevity has a new integration guide.

  • Fabrix Smart Action (API Service) now has the okta.apps.manage, okta.users.manage and okta.users.read scopes.

  • Parabol has a new logo, SAML Configuration Guide, and App description.

  • Udemy Business has a new optional App Instance Property and a new configuration guide. Learn more.

  • Campaigner (SWA) was updated.