Okta Classic Engine release notes (Preview)

Version: 2025.07.0

July 2025

Generally Available

OAuth 2.0 provisioning for Org2Org with Autorotation

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Autorotation for Org2Org app provisioning directly from the Admin Console.

See Integrate Okta Org2Org with Okta.

Release notes available in Japanese

Release notes for Okta Classic Engine are now translated to Japanese for each release. These translations are published within a week of the English publication.

Okta Provisioning agent, version 2.3.1

This release contains security enhancements. See Okta Provisioning Agent and SDK version history.

Okta LDAP agent, version 5.24.0

This version of the agent includes the following:

  • Configuration files are now encrypted
  • Local LDAP agent configuration files are monitored for unexpected changes
  • install.log created to help debug installation issues
  • Security enhancements

Google Workspace improvements

The following changes have been made to improve the performance of the Google Workspace app integration:

  • More robust group-related error handling
  • Eliminated duplicate group creation upon import when Import Groups is disabled

LDAP Interface OIDC app

LDAP Interface now has an application session policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface.

License Grouping UI improvement

Microsoft O365 Licenses are now grouped under Primary Licenses in the assignment tab for users and groups. Licenses are displayed as collapsed dropdown menus with only Primary License name visible. Expanding the dropdown menu displays all sub-licenses under it.

New custom attributes for Profile Sync provisioning

Profile sync provisioning now supports several custom attributes for Office 365. See Supported user profile attributes for Office 365 provisioning.

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See Define attribute statements.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Changes to Okta apps

You can no longer view or assign the following apps to users:

  • Okta Access Certifications
  • Okta Access Requests Admin
  • Okta Entitlement Management

Additionally, the sign-on policies for these apps will default to the existing sign-on policy that you use for the Okta Admin Console.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Early Access

Network restrictions for OIDC token endpoints is EA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Okta Integration IdP type is EA in Preview

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Enforce MFA for Identity Governance admin apps

The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.

OU moves for LDAP-provisioned users

When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.

Okta Hyperspace agent, version 1.5.1

This version includes security enhancements.

System Log event for monitoring LDAP Agent config file changes

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

On-prem Connector for Oracle EBS

On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.

Fixes

  • Admins couldn't edit the Need help signing in? link on the Sign-In Widget (third generation). (OKTA-917840)

  • Group push errors were displayed for app instances that didn't have provisioning enabled. (OKTA-924631)

  • Client location, IP address, and user agent weren't visible for security.breached_credential.detected events in System Log. (OKTA-934324)

  • When any of the When a user is reactivated in the app options were enabled for an app integration, the first attempt to re-login using ADSSO by disconnected AD users failed. (OKTA-939542)

  • Additional roles couldn't be added to the base Role attribute for SmartRecruiters app integrations. (OKTA-944146)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • Some users who were logged out of Okta by the breached credentials protection feature had custom attribute values deleted from their user profile. (OKTA-964312)

Okta Integration Network

  • Cockroach Labs (SCIM) is now available. Learn more.
  • Grace (OIDC) is now available. Learn more.
  • Hive (SCIM) is now available. Learn more.
  • Optmyzr (OIDC) is now available. Learn more.
  • Planfix (SCIM) is now available. Learn more.
  • Planfix (SAML) is now available. Learn more.
  • Splunk Add-on for Okta Identity Cloud (API integration) is now available. Learn more.

Weekly Updates

2025.07.1: Update 1 started deployment on July 9

Generally Available

Govern Okta admin roles

As a super admin, use this feature to adopt a zero standing privilege model for your org. This feature enables users to request time-bound access to Okta admin roles directly from their End-User Dashboard. It also enables you to periodically review their admin access.

The feature helps you streamline processes around requesting, approving, and certifying access to admin roles. It also enables you to control the level of access and its duration to your org's critical resources. In addition, you can audit a user's existing admin role assignments using Access Certifications campaigns and specify reviewers who should approve or revoke a user's access. See Govern Okta admin roles.

Govern Okta admin roles is available to all customers who have Universal Directory. Contact your account executive or customer success manager.

Fixes

  • Users were deactivated during imports where Super Admin privileges had been granted through group membership assignment. (OKTA-831811)

  • Some users with custom admin roles were unable to use the authorization server token preview. (OKTA-847900)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-953319)

  • The Networks page became unresponsive when admins clicked the Show more option. (OKTA-958764)

  • When an admin triggered a password reset for a user who was concurrently also being provisioned in AD or LDAP, the user's status was discarded. (OKTA-961859)

  • Users were unable to create a new schema property using a previously used name due to an incomplete cleanup process of deleted schema properties. (OKTA-963030)

  • A blank page was displayed after an Okta user was successfully converted to a service account. (OKTA-969178)

  • The create user form didn't clearly indicate whether an admin can view or edit the files, which caused confusion during user creation. (OKTA-971861)

Okta Integration Network

  • NVIDIA Identity Federation (SCIM & SAML) is now available. Learn more.
  • Zoho Directory (API Integration) is now available. Learn more.

Preview Features

Expanded use of user.getGroups() function in Okta Expression Language

Admins can now use the user.getGroups() function across all features that support Expression Language. See Group functions for more information.

Increased maximum displayed group membership count

The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.

Changes to Okta apps

You can no longer view or assign the following apps to users:

  • Okta Access Certifications
  • Okta Access Requests Admin
  • Okta Entitlement Management

Additionally, the sign-on policies for these apps will default to the existing sign-on policy that you use for the Okta Admin Console.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Administrators can now override attribute mapping when assigning apps to individuals or groups. Attributes can also be reverted to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Content security policy enforcement on end-user pages

Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. We already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. We plan that future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.

This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

Choose additional filters for Office 365 sign-on policy

Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

Null values for any attribute type can now be submitted to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to applications that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error-prone and time-consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to complete sign-in to applications that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

LDAP delegated authentication settings can now be configured to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

  • If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
  • An unknown publisher warning appeared after double-clicking the Okta Device Registration MSI file.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously been released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain joined shared Workstations or VDI environments. Once your end users have logged into a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

The People page has been improved so the people list can be filtered by user type. See Universal Directory custom user types known issues.

UI element change

Drop-down menus on the Provisioning page (General Settings) are standardized. See Provision apps

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the cloud. With the LDAP Interface, authentication is done directly against Okta via LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.