Okta Classic Engine release notes (Preview)
Version: 2025.10.0
October 2025
Generally Available
Okta Active Directory Password Sync agent, version 1.7.0
This version of the agent includes security enhancements.
New look and feel for delegated flows
On the Delegated flows page, the buttons, modals, and input fields have been redesigned for a better user experience. See Delegated flows.
Euskara (Basque) language translations for end users
In the End-User Dashboard, users can now set the display language to Euskara (Basque). When they select a language, the end-user experience, including when a user signs in, is translated accordingly. See Supported display languages.
New VPN service for enhanced dynamic zones
The SURF_EASY_VPN is now supported as an individual VPN service category in enhanced dynamic zones. See Supported IP service categories.
Error message update
The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.
Create user permission conditions
You can now add conditions to the Create user permission for custom admin roles, applicable to both realm-enabled orgs and those without realms. See Permission conditions.
Network restrictions for OIDC token endpoints is GA in Preview
You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.
Export Okta Identity Governance reports in PDF format
You can now export Okta Identity Governance reports to PDF. When exporting, you can also select specific columns to include in the report.
Behavior Detections for new ASN
Admins have been able to create behavior detections for IP, Velocity, Location, or Device. This new functionality introduces behavior detection on a new ASN (Autonomous System Number), based on the IP found in the request tied to the event. See Add an ASN behavior.
Behavior Detections for new ASN
The error message text that appears when activating a group rule that has an invalid expression has been updated to include the reason for the failure, making it easier to troubleshoot.
Early Access
Fixes
-
Sometimes, inactive apps that had provisioning enabled sent deprovisioning calls to downstream apps. (OKTA-930436)
-
Sometimes, users who were assigned an app were unable to view or access the app on their End-User Dashboard. (OKTA-985663)
-
SAML assertions were encrypted if they included the
oktaAuthPayload
parameter even though encryption wasn't enabled on the app. (OKTA-998820) -
In some orgs with the Unified claims generation for Okta-protected SAML and OIDC custom app integrations early access feature enabled, users were unable to use the dropdown menus in the Attribute Statements > Show legacy configuration section of the app page. (OKTA-1010898)
-
In orgs with Japanese translations, untranslated text appeared on the Active Directory Policy page. (OKTA-1029000)
Okta Integration Network
-
Paychex Online was updated.
-
Ravenna is now available (API Service Integration). Learn more.
-
zkipster was updated.
Doc Updates
Okta Aerial documentation
Documentation for Okta Aerial has been added to Okta Documentation with the following updates:
- Aerial card added to the home page.
- Aerial option added to Documentation dropdown list.
- Aerial release notes added to Release notes dropdown list.
Okta Aerial allows you to manage multiple Okta orgs from a single, centralized account. The Aerial account lives outside of your other orgs and can manage any Production or Preview org that's linked to the Aerial account. Each Aerial account has a dedicated Aerial org where you can invite Aerial admins who can request and be granted access to connected orgs in your environment. See Okta Aerial.
Preview Features
Enhanced import monitoring with real-time updates
You can now view real-time progress for imports from the Import Monitoring dashboard. This provides greater visibility into the current status of in-progress imports such as the number of data chunks currently being processed.
Increased maximum displayed group membership count
The membership count that appears on the groups page for very large groups now maxes out at 1M+. Click this number to view the exact count, which is cached for two hours. See View group members.
Workday supports incremental imports
Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports
Prevent new single-factor access to the Admin Console
This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.
Application Entitlement Policy
Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.
Content security policy enforcement on end-user pages
Content security policy is now enforced for end-user pages on orgs with custom domains on non-customizable pages. Content Security Policy headers provide an additional layer of security that helps to detect attacks such as cross-site scripting and data injection by ensuring browsers know what kind of actions the webpage can execute. Okta already had a policy enforced in our admin pages from last year and in report-only mode for end-user pages. Future iterations of our Content Security Policy enforcement for end-user pages will become stricter than this first release.
This feature will be gradually made available to all orgs.
Descriptive System Log events
When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.
New flexible LDAP
A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.
ThreatInsight coverage on core Okta API endpoints
Okta ThreatInsight coverage is now available for core Okta API endpoints:
Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.
SSO apps dashboard widget
The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.
Email failure events in the System Log
Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.
Federation Broker Mode
The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.
Choose additional filters for Office 365 sign-on policy
Filters have been added to enable admins to distinguish between web browsers and Modern Authentication clients when creating an app sign-on policy.
User Import Scheduling
When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that's convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an app allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.
Null values for SCIM provisioning
You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.
Device Authorization grant type
Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.
The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.
LDAP admin password reset
For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.
LDAP password reset option
You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.
Windows Device Registration Task, version 1.4.1
This release fixed the following issues:
- If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
- An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.
Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.
Incremental Imports for CSV
Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.
Password changed notification email
To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.
Office 365 Silent Activation
Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.
End-user Welcome emails localized
The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale
property is now Generally Available. See Configure general customization settings.
People page improvements
You can now filter the People page by user type. See Universal Directory custom user types known issues.
UI element change
Dropdown menus on the Provisioning page (General Settings) are standardized. See Provision apps
Early Access features, auto-enroll
You can now opt to auto enroll in all Early Access features, instead of having to enable them as they become available.
Connecting Apps to Okta using the LDAP Interface
The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.