Okta Classic Engine release notes (Production)

Version: 2026.06.0

Salesforce provisioning support for PKCE

The Salesforce app integration now supports Proof Key for Code Exchange (PKCE) for OAuth 2.0 flows. This update ensures uninterrupted user provisioning and requires admins to update their Salesforce configuration to maintain service continuity.

Improved network zone error messages

The error message that appears when admins try to delete a network zone that's referenced by multiple policies or rules is now easier to read.

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

Navigation label update for integration agents

The Agents label in the Admin Console has been renamed to Integration agents to provide a more intuitive experience. A dismissible link to the AI Agents page is also available on the Integration agents page to improve navigation.

Improved request details layout

The request details page now features an optimized layout for small screens to improve readability.

Seamless ISV experience for SCIM

Okta now provides a seamless ISV experience to optimize the [Okta Integration Network (OIN)] submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See [Publish an OIN integration overview] and [Submit an integration with the OIN Wizard] guide.

Links: 1. https://www.okta.com/integrations/ 2. https://developer.okta.com/docs/guides/submit-app-overview/ 3. https://developer.okta.com/docs/guides/submit-oin-app/scim/main/

SAP SuccessFactors OAuth 2.0 with SAML Assertion

The SAP SuccessFactors app integration now supports OAuth 2.0 with SAML Assertion for enhanced API security. To ensure your provisioning and sync processes continue without interruption, you must migrate to this new authentication method before SAP Basic Authentication deletion deadline on November 20, 2026. See Configure OAuth 2.0 with SAML for SAP SuccessFactors.

New System Log events for privileged access database integrations

Two new System Log events, pam.integration.create and pam.integration.delete, are now available for Okta Privileged Access database management. This enhancement allows admins to track when database integrations are created or deleted. See System Log.

• App integrations didn't populate user credentials for subdomains that used the /auth/v3/signin endpoint, preventing users from signing in to the app. (OKTA-1074055)

• Okta Expression Language expressions with array attributes didn't always behave as expected. (OKTA-1166566)

• The application.lifecycle.update System Log event didn't populate the changeDetails field when admins updated Active Directory app settings. (OKTA-1178325)

• Iden (API Service) has a new scope.

• Fleetclear (OIDC) is now available. Learn more.

• Dell PowerProtect Backup Services (API Service) is now available. Learn more.

• Kirin (SAML) is now available. Learn more.