Okta Classic Engine release notes (Production)

Version: 2024.06.0

June 2024

Generally Available

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

Breached password protection

Protect your organization from the impact of passwords that have been compromised. If Okta determines that an Okta username and password combination has been compromised based on the data collected by our internal threat intelligence pipeline, Okta records a System Log event, expires the user's credentials, and requires the user to update their password before they can use their password to sign in again. See Breached password protection.

Rate limit update for using Okta fallback telephony provider

Orgs that use an active telephony inline hook now have a heavy rate limit for the Okta fallback mechanism.

Federation Broker Mode has been removed from OAuth Service Clients

The Federation Broker Mode option has been removed from OAuth Service Clients.

DPoP available when creating OIDC apps

You can now require the Demonstrating Proof of Possession (DPoP) condition when you create an OIDC app. Previously, this option was only available after you create the app. This streamlines the process of creating and securing OIDC apps.

Increase to Inline Hooks

The maximum number of inline hooks an org can create is now 100. The previous maximum was 50. See Add an inline hook .

Support for migration to Microsoft Graph

You can now migrate your existing Office 365 WS-Fed Manual app instances to Microsoft Graph by using the migration banner on the app dashboard.

Early Access

Enhanced dynamic zones

Use enhanced dynamic network zones to define IP service categories (proxies, VPNs), locations, and Autonomous System Numbers (ASNs) that are allowed or blocked in a zone. See Enhanced dynamic zones.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app’s profile page in the Admin Console.

As super admins and access request admins, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the app catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

You can also view and edit a user’s access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Workspace ONE Device Trust orgs using Classic Engine can now migrate to Identity Engine

Admins can now migrate their existing Workspace ONE Device Trust configurations to Identity Engine. This feature unblocks Classic Engine tenant migrations by allowing both the existing admin configuration and the end-user authentication flows to be migrated when previously integrated with our Workspace ONE Device Trust feature. See Migrate Workspace ONE SAML-based mobile device trust.


  • The list of languages in Customizations SMS wasn't translated. (OKTA-626381)

  • For custom SWA and SAML apps, the help links on the ApplicationProvisioning tab were incorrect. (OKTA-661972)

  • When an admin attempted to create a profile with a username that contained invalid characters, an unhelpful error message appeared in orgs using a custom character restriction for usernames. (OKTA-680557)

  • Users could bypass admin approval from the import screen to sign in to Okta when Active Directory Just-In-Time provisioning was disabled. (OKTA-706392)

  • The Disable Force Authentication option was ignored for org2org apps using the SAML sign-in mode and AMR claims mapping. (OKTA-711957)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-729735)

  • Admins couldn't enable the Enforce MFA to access the Admin Console feature in some orgs. (OKTA-730170)

  • New Dropbox Business instances were missing a profile attribute. (OKTA-733503)

  • The Provisioning tab wasn't saved when admins created Office 365 applications, and Japanese translations of the Session Lifetime for SAML apps feature didn't appear. (OKTA-735840)

Okta Integration Network

  • candidate.fyi (OIDC) is now available. Learn more.
  • Edify (OIDC) now has sign-in URLs.
  • KiteSuite (SAML) is now available. Learn more.
  • ParkZapp (W) (OIDC) is now available. Learn more.
  • ShareThis (SWA) was updated. (OKTA-723868)
  • Umbrella Faces (SCIM) is now available. Learn more.

Version: 2024.05.0

May 2024

Generally Available

Option to enforce profile source priority for Desktop Single Sign On

Enforcing profile source priority for DSSO requires end users to authenticate using their identity from the top prioritized profile source. See Enable delegated authentication for LDAP.

Microsoft Graph commands for Office 365 Manual Domain Federation

The Manual Domain Federation configuration guide for Microsoft Office 365 now uses Microsoft Graph commands.

Permissions for custom admins to manage agents

Custom admins can now view, register, and manage agents. See Agent permissions.

Improved password reset process for Active Directory-sourced users

Okta now updates user profiles when externaId, DN, or managerDn is updated in AppUser profiles during provisioning. Only attributes that have relevant mappings are affected.

IME support for international characters

Admins can now use an Input Method Editor (IME) to type international characters into the Admin Console.

Support for multiple Okta Verify enrollments

Multiple Okta Verify enrollments are now supported on the Authentication and Factors APIs. Multiple enrollments using Okta Verify TOTP aren’t allowed if the factor enrollment policy requires Okta Verify with Push. Set Okta Verify with Push to optional to allow Multiple enrollments using Okta Verify TOTP.

Deprecated user profile attributes for Office 365

The following user profile attributes are no longer supported for Office 365:

  • AuthOrig
  • DLMemRejectPerms
  • DLMemSubmitPerms
  • IsTrackingChanges
  • UnauthOrig

See Supported user profile attributes for Office 365 provisioning.

OIN connector support for Entitlement Management

The GitHub Team connector has been updated to support Entitlement Management. See Provisioning-enabled apps.

System Log events for Workflows execution history

Three new event types have been added to the System Log for logging Workflows execution history events:

  • workflows.user.flow.execution_history.activate
  • workflows.user.flow.execution_history.deactivate
  • workflows.user.flow.execution_history.delete

See the Event Types API.

System Log event updates for sign-on policies

The following System Log events are updated to include more debug data and change details about added, updated or deleted rules:

  • application.policy.sign_on.rule.create
  • application.policy.sign_on.rule.delete
  • application.policy.sign_on.update
  • policy.lifecycle.update
  • policy.rule.update

System Log event update for Trusted Origins

If a Trusted Origin is updated using an Event Hook, the event hook ID is now displayed in the System Log event.

Early Access

Skip the verify page and redirect to the IdP authenticator

This feature allows users to skip the verify step in the Sign-In Widget. They are instead redirected to the IdP authenticator for verification. When you enable this feature, end users see the option to skip the Sign-In Widget verification. If your org is configured to remember the last authenticator the user used, then the user is auto-redirected to the IdP authenticator for future sign-in attempts.

Require MFA for Admin Console access

You can require multifactor authentication to access the Okta Admin Console. When you enable this feature, all Admin Console authentication policy rules that allow single factor access are updated to require multifactor authentication. See Enable MFA for the Admin Console.


  • Failed Group Push operations to ServiceNow weren't displayed on the Tasks page. (OKTA-677484)

  • Provisioning to UKG Pro sometimes failed due to WorkCountryCode. (OKTA-681623)

  • An internal error caused IWA agent upgrades to fail. (OKTA-693810)

  • Performing a Push Now operation on an empty push group in Okta failed to reconcile the group in Zendesk. (OKTA-701099)

  • Stuck XaaS executions weren't marked as failed jobs. (OKTA-712091)

  • Users who entered an invalid username into a password-first sign-in flow saw a misleading error message. This behavior occurred only in orgs that enabled the Multiple Identifiers feature and disabled User Enumeration Prevention. (OKTA-713096)

  • When Okta detected a change in an admin’s IP, the caep_session_revoked signal wasn't sent to the SSF receiver. This occurred when the IP binding for admin console setting was enabled. (OKTA-717305)

  • Active Directory incremental imports were converted to full imports when a new OrganizationUnit was added or an existing OrganizationUnit was renamed. (OKTA-718186)

  • Super admins with roles assigned through group assignment couldn't enable Direct Authentication grant types in an OIDC app. (OKTA-719756)

  • When running delegated flows from the Okta Admin Console, the event metadata wasn't recorded by the System Log. (OKTA-722302)

  • Smart Card IdP username transformation didn't allow the space characters within the username string. This functionality is only available with custom UD attributes. (OKTA-723152)

  • The Edit button for modifying an SSWS API token's rate limit was disabled instead of hidden for admins who didn't have permission to update the rate limit. (OKTA-724333)

Okta Integration Network

  • DigiCert (SWA) was updated. (OKTA-722381)
  • Foqal Agent (SAML) is now available. Learn more.
  • Kantega SSO (OIDC) is now available. Learn more.
  • Kantega SSO (SAML) is now available. Learn more.
  • Kantega SSO (SCIM) is now available. Learn more.
  • LimbleCMMS (OIDC) now has additional redirect URIs.
  • Netdata (OIDC) is now available. Learn more.
  • Obsidian Security (SAML) now has an option to select the region for the ACS URL.
  • SCIM 1.1 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 Test App (OAuth Bearer Token) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Basic Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (Header Auth) now has SWA and SAML functionality.
  • SCIM 2.0 with Entitlements Management (OAuth Header Auth) now has SWA and SAML functionality.
  • Vansec (SCIM) now has updated application profile and mappings.

Weekly Updates

Version: 2024.04.0

April 2024

Generally Available

Okta MFA Provider for ADFS, version 1.8.0

This release includes vulnerability fixes and a .NET Framework version upgrade.

Content Security Policy for custom domains

The Content Security Policy (CSP) feature lets admins control which URLs may be linked to from customized sign-in and error pages in orgs that use custom domains. Admins add trusted URLs to Okta that link to items such as images and add these links to the code in their sign-in and error pages. This feature enhances security by enabling admins to allow only approved content to appear and prevent the introduction of potentially malicious code to these pages. See Customize the Content Security Policy (CSP) for a custom domain.

SAML Certificate expiration notification feature

This feature notifies admins through task entries in the Admin Console about expired or soon-to-expire certificates for SAML apps. This enhances security and minimizes app downtime caused by expired certificates.

Support case management for admins

Super admins can now assign the View, create, and manage Okta support cases permission and Support Cases resource to a custom admin role. This allows delegated admins to manage the support cases that they’ve opened. See Role permissions.

Okta Usage report enhancements

The Okta Usage report now attempts to download the generated CSV file immediately upon loading, and updates the email template when the report is generated. The CSV file can now contain up to five million rows. These enhancements automate the tasks of downloading and emailing the report, and provide more data to admins.

Customize Okta to use the telecommunications provider of your choice

While Okta provides out of the box telephony functionality, many customers need the ability to integrate their existing telecommunications provider with Okta to deliver SMS and Voice messages.

The Telephony Inline Hook allows customers to generate one-time passcodes within Okta and then use their existing telecommunications provider to deliver the messages for MFA enrollment/verification, password reset, and account unlock using SMS or Voice. This allows customers to use their existing telephony solution within Okta, due to the time they've already invested in their existing telephony solution, the need to use a specific regional provider, or simply the desire to maintain flexibility. See Connect to an external telephony service provider.

New maximum number of connected AWS accounts

Admins can now connect a maximum of 1000 Amazon Web Services accounts to the AWS Account Federation app in Okta. This change helps avoid timeouts when testing API credentials on AWS.

Improved date filter display in reports

The date filter is now standardized and appears inline for the following reports: Telephony usage, Continuous access violation, Entity risk, At-risk user, and MFA events.

Improved Admin Dashboard and Administrators page

The appearance of several UI components (like buttons and dropdown menus) have been improved across the Admin Dashboard and the Administrators page.

Updated documentation links

Documentation links under the Security, Applications, and Customizations menus now redirect to the correct documentation.

End-User Dashboard and unsupported browsers

The End-User Dashboard no longer loads in unsupported browsers, including Internet Explorer 11 or Edge in Internet Explorer mode. This change enhances security by preventing access from browsers that no longer receive updates.

End-User Dashboard branding and accessibility enhancements

The End-User Dashboard now features design changes that provide a consistent brand experience across Okta's app and enhance accessibility for users.

New target added to a System Log event

A new target was added to the user.authentication.auth_via_mfa System Log event. The target shows the type of MFA app that was used to authenticate.

Authentication context System Log event

The new AuthenticationContext System Log event shows who accessed the configuration secrets for ADFS, Windows Credential Provider (RDP), Epic Hyperspace, and Epic Hyperdrive apps.

New DSSO user impersonation System Log event

A System Log event is now logged when a user attempts Desktop Single Sign-On (DSSO) authentication using a profile source that wasn't the highest priority.

Early Access

This release doesn't have any Early Access features.


  • Some Microsoft Windows 365 Enterprise license names weren't displayed correctly on the Edit Assignment page. (OKTA-679276)

  • Admins could delete active network zones. (OKTA-691904)

  • No GovSlack attributes appeared for new app instances. (OKTA-693162)

  • Google Workspace default user schema attributes weren't imported into Okta. (OKTA-697236)

  • When an end user enrolled in Okta Verify from an OIDC app, they received the email notification from noreply@okta.com instead of the custom email domain. (OKTA-701658)

  • When an admin enabled a self-service Early Access feature and an error occurred, a success message appeared. (OKTA-701707)

  • App admins could initiate the refresh app data process for apps to which they didn't have permission. (OKTA-711670)

Okta Integration Network

  • Alohi (SAML) is now available. Learn more.
  • Alohi (SCIM) is now available. Learn more.
  • Better Stack (SAML) has a new logo.
  • Candor (OIDC) is now available. Learn more.
  • FAX.PLUS (SAML) has a new logo, description, and display name.
  • Humi (OIDC) is now available. Learn more.
  • Jurnee (SCIM) is now available. Learn more.
  • UMA (OIDC) is now available. Learn more.

Weekly Updates