Okta Classic Engine release notes (Production)
Generally Available
Version: 2026.06.0
- Salesforce provisioning support for PKCE
The Salesforce app integration now supports Proof Key for Code Exchange (PKCE) for OAuth 2.0 flows. This update ensures uninterrupted user provisioning and requires admins to update their Salesforce configuration to maintain service continuity.
- Improved network zone error messages
The error message that appears when admins try to delete a network zone that's referenced by multiple policies or rules is now easier to read.
- Secure SaaS and Okta Service Accounts
Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.
- New System Log fields for matched network zones
Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (
security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through newZoneIdMatchandZoneNameMatchfields. Up to 10 matched zones are reported per event.These new fields provide more granular and structured network zone context than the existing
Client.Zonefield. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.- SHA-256 digest algorithm support
Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.
- Navigation label update for integration agents
The Agents label in the Admin Console has been renamed to Integration agents to provide a more intuitive experience. A dismissible link to the AI Agents page is also available on the Integration agents page to improve navigation.
- Improved request details layout
The request details page now features an optimized layout for small screens to improve readability.
- Seamless ISV experience for SCIM
Okta now provides a seamless ISV experience to optimize the [Okta Integration Network (OIN)] submission experience for SCIM integrations. This new experience enables independent software vendors (ISVs) to build and manually test their SCIM integration metadata before submission to the OIN. This reduces the time needed for the OIN team to review and validate that the SCIM integration functions as intended, which shortens the time to publish in the OIN. This experience also incorporates communication processes in Salesforce, enabling improved collaboration internally within Okta teams and externally with ISVs. See [Publish an OIN integration overview] and [Submit an integration with the OIN Wizard] guide.
Links: 1. https://www.okta.com/integrations/ 2. https://developer.okta.com/docs/guides/submit-app-overview/ 3. https://developer.okta.com/docs/guides/submit-oin-app/scim/main/
Early Access
- SAP SuccessFactors OAuth 2.0 with SAML Assertion
The SAP SuccessFactors app integration now supports OAuth 2.0 with SAML Assertion for enhanced API security. To ensure your provisioning and sync processes continue without interruption, you must migrate to this new authentication method before SAP Basic Authentication deletion deadline on November 20, 2026. See Configure OAuth 2.0 with SAML for SAP SuccessFactors.
- New System Log events for privileged access database integrations
Two new System Log events,
pam.integration.createandpam.integration.delete, are now available for Okta Privileged Access database management. This enhancement allows admins to track when database integrations are created or deleted. See System Log.
Fixes
-
App integrations didn't populate user credentials for subdomains that used the
/auth/v3/signinendpoint, preventing users from signing in to the app. (OKTA-1074055) -
Okta Expression Language expressions with array attributes didn't always behave as expected. (OKTA-1166566)
-
The
application.lifecycle.updateSystem Log event didn't populate the changeDetails field when admins updated Active Directory app settings. (OKTA-1178325)
Okta Integration Network
-
Iden (API Service) has a new scope.
-
Fleetclear (OIDC) is now available. Learn more.
-
Dell PowerProtect Backup Services (API Service) is now available. Learn more.
-
Kirin (SAML) is now available. Learn more.
2026.06.1: Update 1 started deployment on June 15
- Provisioning for Rapid7 InsightAppSec
Provisioning is now available for the Rapid7 InsightAppSec app integration. When you provision the app, you can enable security features like Entitlement Management. See Rapid7 InsightAppSec.
Fixes
-
For a specific Active Directory integration, scheduled and manual incremental imports failed intermittently in Preview environments. This issue occurred after admins resumed a previously halted import block. (OKTA-1135003)
-
During Group Push operations, Okta unexpectedly provisioned a non-Active Directory user into a target Active Directory group. (OKTA-1147204)
-
When admins edited a custom admin role that included delegated flow Workflows permissions, Okta incorrectly prompted them to repeat step-up authentication. This issue blocked the changes and displayed a protected-action message. (OKTA-1169760)
-
During Group Push operations, updates sometimes failed with an error message when the system processed group memberships. This issue caused synchronization to fail intermittently for specific push groups. (OKTA-1181698)
-
Group Push operations to Jamf Pro sometimes failed. (OKTA-1183535)
Okta Integration Network
-
CodeSignal (SAML) is now available. Learn more.
-
CodeSignal (SCIM) is now available. Learn more.
-
Dell Power Protect Backup Services powered by Druva has the okta.deviceAssurance.manage and okta.behaviors.manage scopes.
-
Kirin (SAML) is now available. Learn more.
-
Mabyduck (OIDC) is now available. Learn more.
-
Mabyduck now supports Universal Logout.
-
Ocozzio Marketing Center (SAML) is now available. Learn more.
-
Ocozzio Marketing Center (SCIM) is now available. Learn more.
-
Risotto (SAML) is now available. Learn more.
-
StackAdapt (SCIM) is now available. Learn more.
-
X (Twitter) (SWA) was updated.
2026.06.2: Update 2 started deployment on June 23
- Reassign steps to multiple users
You can now reassign steps within an approval sequence or request type to 10 users. This applies to tasks, questions, actions, and approvals.
- Admin OIDC App Phase Two Tranch One
When the Admin OIDC App Phase Two Tranch One feature is enabled, the Okta Admin Console automatically initiates the OIDC sign-in flow on page load, and admins are briefly redirected to the authentication page before the requested page appears.
Fixes
-
Users who matched a group rule weren't automatically added to the target group. (OKTA-1152179)
-
Sometimes accessing an Active Directory domain resulted in a 500 error. (OKTA-1194967)
-
The Agent down notification label in the Admin Console was unclear. (OKTA-1195857)
-
Sometimes approval tasks in access requests for Okta admin roles weren't assigned to groups and remained unassigned, causing delays in request resolution. (OKTA-1198387)
-
When an Okta service account was removed from Okta Privileged Access, Okta suspended the associated managed users and blocked admins from performing manual lifecycle operations on those users. (OKTA-1199623)
Okta Integration Network
-
Docupilot (SCIM) is now available. Learn more.
-
Dokio (SAML) is now available. Learn more.
-
Dokio (SCIM) is now available. Learn more.
-
Factor Labs (SCIM) is now available. Learn more.
-
Granola (SAML) is now available. Learn more.
-
IBM OS/400 on AS/400 (IBM i on Power Systems) by Aquera (SCIM) is now available. Learn more.
-
Rapid7 Insightappsec (SAML) is now available. Learn more.
-
Splunk Add-on for Okta Identity Cloud (API Service) has a new integration guide.
-
Supabase (SAML) is now available. Learn more.
-
Taktile (SCIM) is now available. Learn more.
-
Taktile has a new configuration guide.
2026.06.3: Update 3 started deployment on June 29
Fixes
-
When Okta processed two distinct group rules simultaneously during group rule execution, the system failed to automatically unassign users from an inactive app. (OKTA-1114930)
-
When a user belonged to multiple groups that were assigned to an Active Directory instance, Okta didn't prioritize their assignments and attributes based on the configured group priority. (OKTA-1115091)
-
The Okta password health report timed out for orgs with large user directories and returned incomplete data. Reports for large orgs are now limited to a maximum of 500,000 users to ensure reliable performance. (OKTA-1151306)
-
The DirSync readiness warning banner on the Integration Agents dashboard displayed outdated status information. (OKTA-1185146)
-
When a Workday-sourced user was deleted in Active Directory, they were incorrectly deactivated in Okta. (OKTA-1204655)
Okta Integration Network
-
Censys (SAML) is now available. Learn more.
-
Censys (SCIM) is now available. Learn more.
-
Lawvek (OIDC) is now available. Learn more.
-
Lawvek (SAML) is now available. Learn more.
-
Lawvek (SCIM) is now available. Learn more.
-
Rubrik Security Cloud (API Service) was updated.
-
Topogy Group Sync (API Service) is now available. Learn more.