Okta Classic Engine release notes (2026)

Version: 2026.01.0

January 2026

Generally Available

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

OAuth 2.0 scopes automatically assigned to API integrations

Now when you add an API integration to your org, Okta automatically assigns the required OAuth 2.0 scopes to the app.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

  • The View Setup Instructions button has been relocated to optimize the visual layout.
  • A new display option has been added to visualize parent and child domain relationships.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Early Access

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Fixes

  • The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)

  • In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)

  • Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)

  • In some orgs, resource access policy rules didn't take effect immediately after being updated. (OKTA-1071402)

  • Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)

  • When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)

  • JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)

  • In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)

  • Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)

  • In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)

  • When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

  • Dokio (SCIM) is now available. Learn more.

  • Kuranosuke (SAML) is now available. Learn more.

  • LINE WORKS (SCIM) is now available. Learn more.

  • SciLeads Portal (OIDC) is now available. Learn more.

  • SciLeads Portal (SCIM) is now available. Learn more.

  • ShareCal (SCIM) is now available. Learn more.

  • ShareCal (SAML) was updated with a new logo.

  • Humana Military (SWA) was updated.

  • Xint (OIDC) added new IDP flow.

  • cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.

  • Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)

  • When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)

  • When an admin updated the agent pool, an error occurred if the agentType was missing. (OKTA-1071106)

  • When an admin reactivated a user through an Active Directory import, the System Log didn't record the event. (OKTA-1071233)

  • When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)

  • For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI. (OKTA-1096668)

Okta Integration Network

  • Seismic (SCIM) is now available. Learn more .

  • OX Security (OIDC) is now available. Learn more .

  • Skedda (SCIM) is now available. Learn more .

  • Jotform (SCIM) is now available. Learn more .

  • Planhat (SCIM) is now available. Learn more .

  • Safety AZ (OIDC) is now available. Learn more .

  • Exabeam (SAML) is now available. Learn more .

  • 101domain (OIDC) is now available. Learn more .

  • OX Security (OIDC) now supports Universal Logout.

  • Skedda (SAML) has a new description, icon, and configuration guide.

  • Obsidian Security (SAML) has a new configuration guide, attribute, and app description.

  • Planhat (SAML) has a new integration guide.

  • Exaforce (API Service) now has the okta.idps.read scope.

  • Seismic (SAML) has a new logo, app description, and configuration guide.

  • BridgeBank Business eBanking (SWA) was updated.

  • Humana Military (SWA) was updated.

  • Jotform (SAML) was updated.

  • Scalefusion OneIdP (SCIM) was updated.

2026.01.2: Update 2 started deployment on February 2

Generally Available

Fixes

  • Arbitrary headers could be added to SCIM requests during the On-Premises Provisioning agent integration. (OKTA-1000055)

  • When users authenticated using a third-party IdP, the AMR claims for MFA weren't included in the token. (OKTA-1020028)

  • When creating a group rule, after entering ten groups, admins needed to enter complete or nearly-complete group names to add more groups to the rule, rather than being able to enter a partial name and select from a list. (OKTA-1067501)

  • When admins created a user and chose a realm to assign, the realm wasn't assigned and an error occurred upon save. (OKTA-1091903)

  • Admins couldn't revert the default network zone's name back to LegacyIpZone after they'd modified it. (OKTA-1045470)

  • Active Directory imports failed with a ProcessMembershipsAndDeletedObjectsJob: null error. (OKTA-1098885)

Okta Integration Network

  • SparrowDesk (SAML) is now available. Learn more.

  • Eon.io (SAML) is now available. Learn more.

  • NoClick (SAML) is now available. Learn more.

  • Druva Data Security Cloud (API) is now available. Learn more.

  • SimCorp Dimension (SAML) is now available. Learn more.

  • Falcon Shield (API Service Integration) has a new scope. Learn more.

  • Rubrik Security Cloud (API Service Integration) has a new integration guide. Learn more.

  • SimCorp Dimension (SCIM) has a new SCIM configuration guide URL and a new app description.

  • AWS IAM Identity Center (SAML) has multiple ACS URLs support.

  • ShareCal (SAML) has an updated App Instance Property & Configuration Guide link.

  • ClickUp (SAML) has a new configuration guide and app description.

  • ClickUp (SAML) was updated.

  • CardinalOps (SAML) was updated.

  • OrbiPay Payments (SWA) was updated.