Okta Classic Engine release notes (Production)

Version: 2026.03.0

March 2026

Generally Available

Improved error handling for group membership searches

When an internal error is returned for a group membership search, the ordering and sorting direction options are removed and the search is performed again.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Yammer rebranded to Microsoft Viva

The Yammer integration in Microsoft Office 365 now displays the Microsoft Viva logo and directs users to the Microsoft Viva homepage. This update supports Viva Insights and Viva Connections in GCC environments.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

Early Access

Improved DirSync-based imports

Optimize performance of AD DirSync-based imports by skipping unnecessary prechecks and downloading organizational units without using DirSync.

Self-Service for Enhanced Disaster Recovery

When unexpected infrastructure-related outages occur, orgs need an immediate and reliable way to maintain business continuity. Okta's Standard Disaster Recovery, implemented by Okta's operations teams, provides failover and failback with a recovery time objective of one hour.

Okta's Enhanced Disaster Recovery (Enhanced DR) gives admins the option to manage their org's recovery. This feature empowers admins by providing direct, self-service tools and APIs to manage, test, and automate the failover and restoration processes for their impacted orgs.

With Enhanced DR, admins gain active control to initiate a failover and restore for impacted orgs directly from the Okta Disaster Recovery Admin portal or through APIs. Additionally, teams can validate their system's resilience by safely testing these failover and restoration capabilities at their convenience. Finally, Enhanced DR enables orgs to automate failover processes by using real-time monitoring to invoke failover APIs, significantly minimizing downtime during an actual event. See Okta disaster recovery.

Fixes

  • You couldn't search for and select users with Provisioned, Active, Recovery, Password Expired, or Locked out status when assigning a step in an approval sequence and in request types. (OKTA-944822)

  • Group rules sometimes behaved unpredictably when multiple distinct transactions ran the rules on the same user at the same time. (OKTA-954076)

  • When AD-sourced users attempted to sign in using an expired temporary password and self-service password change was disabled, an incorrect error message was displayed. (OKTA-1113434)

Okta Integration Network

  • Guardare (SAML) is now available. Learn more.

  • Valence Remediation (API) is now available. Learn more.

  • Cato Networks Provisioning now supports user imports and updates.

  • PerimeterX now supports SAML.

  • PerimeterX now supports SCIM.

  • Druva Data Security Cloud (API Service) now has the okta.clients.read scope.

  • Natoma has a new app icon.

  • Adobe Creative (SWA) was updated.

  • Adobe Fonts (SWA) was updated.

Version: 2026.02.0

February 2026

Generally Available

Okta Mobile End of Life

The Okta Mobile app will transition to End of Life (EOL) status on May 31, 2026.

After this deprecation date, Okta Mobile will not receive any further security updates, bug fixes, or support. The app will no longer be available for download through the Apple App Store or the Google Play Store.

Okta previously announced the End of Support for Okta Mobile, effective November 1, 2025.

See Okta Mobile End of Life for available migration solutions.

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

  • The Generic Database Connector now supports Base64 encoded path parameters.
  • Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

LDAP Bidirectional Group Management

Bidirectional Group Management for Lightweight Directory Access Protocol (LDAP) allows you to manage LDAP groups from within Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in LDAP.

Okta can only manage group memberships for users and groups imported into Okta using the LDAP or Active Directory (AD) integration. It isn't possible to manage users and groups that weren't imported through LDAP or AD integration or are outside the organizational unit's scope for the integration using this feature.

Radius Agent version 2.26

This version includes internal improvements and fixes.

WS-Trust 1.3 support for Windows Transport

Windows Transport now supports WS-Trust 1.3 protocol. This enables Silent Activation for newer Microsoft Office clients, eliminating the need for users to manually enter their credentials.

Early Access

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Fixes

  • When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)

  • Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)

  • When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)

  • When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

  • The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

Okta Integration Network

  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.

  • HashiCorp Vault (OIDC) is now available. Learn more.

  • Instagram (SWA) was updated.

  • Mailchimp (SWA) was updated.

  • Solarwinds Customer Portal (SWA) was updated.

  • Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Weekly Updates

2026.02.1: Update 1 started deployment on February 17

Fixes

  • Group rules sometimes failed when they were executed immediately after a group rule was deleted. (OKTA-880814)

  • Group push sometimes failed during deployments. (OKTA-941489)

  • When the display language was set to French, the Agents and API > Tokens pages weren't translated. (OKTA-1104991)

  • App imports failed with a BeanCreationNotAllowedException error when system deployments interrupted the process. (OKTA-1105164)

  • When a user's API status was suspended, but their user status differed, their password was incorrectly able to be expired. (OKTA-1108658)

Okta Integration Network

  • Priverion Platform SSO with SCIM 2.0 (SAML) is now available. Learn more.

  • Priverion Platform SSO with SCIM 2.0 (SCIM) is now available. Learn more.

  • Webrix (OIDC) is now available. Learn more.

  • Webrix (SCIM) is now available. Learn more.

  • BrandLife (OIDC) is now available. Learn more.

  • Brava Security (OIDC) is now available. Learn more.

  • Brava Security now supports Express Configuration.

  • WideField Security - Detect has a new integration guide.

  • Druva Data Security Cloud (API) now has the okta.authorizationServers.manage, okta.devices.read, okta.idps.manage, and okta.roles.manage scopes.

  • Vanta (SAML, SCIM) was updated.

2026.02.2: Update 2 started deployment on February 23

Generally Available

Okta On-Prem MFA agent version 1.8.5

This version includes security enhancements.

Fixes

  • When the Map primary email to login attribute feature was enabled, Username and Email address were shown as separate fields on the Self-service registration page. (OKTA-1107675)

  • When the display language was set to French, the list of network zones on the Networks page wasn't translated. (OKTA-1111126)

  • When the display language was set to French, some of the button labels on the Set up Active Directory pages weren't translated. (OKTA-1111128)

  • In some orgs, password reset emails didn't allow users to reset their password. (OKTA-1120290)

Okta Integration Network

  • Natoma (SCIM) is now available. Learn more.

  • Natoma (SAML) is now available. Learn more.

  • 6sense legacy (SCIM) is now available. Learn more.

  • Four/Four (OIDC) is now available. Learn more.

  • Docupilot (SAML) is now available. Learn more..

  • IdentiGuard (API Service) has new scopes. Learn more.

  • Zylo now supports the okta.userTypes.read and okta.schemas.read scopes.

  • Zylo with Okta Actions (API Service) now supports the okta.userTypes.read and okta.schemas.read scopes.

  • Drata (OIDC) has new redirect URIs. Learn more.

  • 6sense - Platform has a new app description and is rebranded as 6sense legacy.

  • RevSpace (OIDC) has new app icon.

  • Hubspot (SWA) was updated.

2026.02.3: Update 3 started deployment on March 2

Fixes

  • When creating an AD integration, the Admin Console displayed the incorrect organization URL for the Okta Active Directory agent. (OKTA-1044074)

  • When admins edited certain Microsoft Office 365 authentication policy rules, the AND User must authenticate with field incorrectly displayed Any 1 factor type instead of the configured assurance requirement. (OKTA-1055783)

  • When admins enabled Force rematch on subsequent imports, unconfirmed users with an exact match weren't automatically matched or confirmed during scheduled imports. (OKTA-1087380)

  • When LDAP users were provisioned using a Generalized Time attribute from Okta to LDAP OID or OpenDJ, the time was incorrectly formatted. (OKTA-1096662)

  • When an admin selected Create or Update in the provisioning settings of an Office 365 app, and then canceled the changes, the Manage Provisioning Scope section disappeared from the To App tab when they navigated away and back to the page. (OKTA-1105441)

  • Orchestrated import jobs sometimes failed when an object lacked an ancestor. This caused the import process to stop unexpectedly while handling group memberships or deleted objects. (OKTA-1115537)

Okta Integration Network

  • Brain Payroll (OIDC) is now available. Learn more.

  • Neo (API Service) is now available. Learn more.

  • Operant MCP Gateway (OIDC) is now available. Learn more.

  • Speeda (OIDC) is now available. Learn more.

  • Zerocater (OIDC) is now available. Learn more.

  • Zerocater (SCIM) is now available. Learn more.

  • Zerocater now supports Universal Logout.

Version: 2026.01.0

January 2026

Generally Available

JSON Web Encryption of OIDC ID tokens

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. See Encrypt OIDC ID tokens for app integrations.

Unified claims generation for custom apps

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (requires OIG), device profile, session ID, and session AMR. See Configure custom claims for app integrations.

New look and feel in the Access Requests email notifications

The Access Requests email notifications have a new look and feel, including updates to the text alignment, colors used, location of the Okta logo, and the addition of a gray background.

Escalate tasks is generally available in Production environments

Access request admins and request assignees can escalate stalled tasks within a request to the task assignee's manager. Requesters can also escalate tasks within their access requests if you've enabled the Allow requesters to escalate tasks toggle on the Settings page. This helps expedite request resolution, prevents bottlenecks, improves productivity, and helps reduce the use of risky workarounds. Task escalation is a secure, auditable, and automated process that helps you adopt time-based access request models by supporting both efficient operations and strong security postures.

See Manage tasks and Allow requesters to escalate tasks.

OAuth 2.0 scopes automatically assigned to API integrations

Now when you add an API integration to your org, Okta automatically assigns the required OAuth 2.0 scopes to the app.

Usability enhancements for Office 365 WS-Federation configuration

The WS-Federation configuration interface on the sign-in page has been refined for improved clarity and usability:

  • The View Setup Instructions button has been relocated to optimize the visual layout.
  • A new display option has been added to visualize parent and child domain relationships.

Enhanced provisioning support for Office 365 GCC High integration

Office 365 GCC High provisioning now supports Universal Sync. This enables admins to synchronize on-premises attributes to Microsoft Entra ID.

Early Access

Breached credentials protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials protection.

Breached credentials protection is now available for Federal customers.

Fixes

  • The following attributes weren't properly being gated as reserved attributes: orgid, activationstatus, apistatus, logintype, initialreconcilecomplete, activationdate, statuschangeddate, apilastupdate, passwordexpirationguess, passwordexpirationcursor, numunlocks, changedstatus. See Review reserved attributes. (OKTA-1049339)

  • In Preview orgs, admins couldn't see error messages because they were blocked by a banner. (OKTA-1053703)

  • Sometimes, if users attempted to sign in through JIT during a replication lag, a 500 error occurred. (OKTA-1055324)

  • In some orgs, resource access policy rules didn't take effect immediately after being updated. (OKTA-1071402)

  • Admins encountered an error when they attempted to update the username for an app user. (OKTA-1047716)

  • When an admin provisioned an LDAP user with a LDAP Generalized Time attribute from Okta to LDAP, the time value was formatted incorrectly. (OKTA-1056428)

  • JIT users were redirected to a SP before app assignments were completed, causing an access denied error. (OKTA-1061698)

  • In orgs with an Okta Org2Org integration, the Sign-In Widget displayed the wrong user email address if the address was changed during authentication. (OKTA-1063332)

  • Microsoft Office 365 user provisioning failed intermittently with a 429 error. This occurred when the system attempted to provision users who already existed in the Microsoft Entra recycle bin with the same onPremisesImmutableId. (OKTA-1068843)

  • In orgs that disabled certificate-based authentication for Office 365, Windows Autopilot was incorrectly removed from the app sign-in policy. (OKTA-1081329)

  • When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

Okta Integration Network

  • Dokio (SCIM) is now available. Learn more.

  • Kuranosuke (SAML) is now available. Learn more.

  • LINE WORKS (SCIM) is now available. Learn more.

  • SciLeads Portal (OIDC) is now available. Learn more.

  • SciLeads Portal (SCIM) is now available. Learn more.

  • ShareCal (SCIM) is now available. Learn more.

  • ShareCal (SAML) was updated with a new logo.

  • Humana Military (SWA) was updated.

  • Xint (OIDC) added new IDP flow.

  • cmBuilder(OIDC) has a new Redirect URI and a new Post Logout Redirect URI Learn more.

  • Xurrent IMR (Formerly Zenduty) (SAML) has a new name and new icon.

Weekly Updates

2026.01.1: Update 1 started deployment on January 20

Generally Available

New IP service category

FINE_PROXY is now supported as an IP service category in enhanced dynamic zones. See Supported IP service categories.

Fixes

  • In Org2Org Classic to Identity Engine setups with claims sharing enabled, users were prompted for additional factors when signing in to the Identity Engine org. This occurred even though they entered their password in the Classic org and the Identity Engine org's app sign-in policy was set to Any 1 Factor. (OKTA-1016793)

  • When the AND Behavior is rule was set to New Device in the global session policy, a message appeared that didn't clearly indicate that users are prompted for MFA at every sign-in. (OKTA-1064096)

  • When an admin updated the agent pool, an error occurred if the agentType was missing. (OKTA-1071106)

  • When an admin reactivated a user through an Active Directory import, the System Log didn't record the event. (OKTA-1071233)

  • When an enhanced dynamic zone was configured to block GOOGLE_VPN, requests from GOOGLE_RENDER_PROXY were also blocked. (OKTA-1080379)

  • For requests managed by access request conditions, the email and Microsoft Teams notifications for request approvals and denials didn't match the Slack notification UI. (OKTA-1096668)

Okta Integration Network

  • Seismic (SCIM) is now available. Learn more .

  • OX Security (OIDC) is now available. Learn more .

  • Skedda (SCIM) is now available. Learn more .

  • Jotform (SCIM) is now available. Learn more .

  • Planhat (SCIM) is now available. Learn more .

  • Safety AZ (OIDC) is now available. Learn more .

  • Exabeam (SAML) is now available. Learn more .

  • 101domain (OIDC) is now available. Learn more .

  • OX Security (OIDC) now supports Universal Logout.

  • Skedda (SAML) has a new description, icon, and configuration guide.

  • Obsidian Security (SAML) has a new configuration guide, attribute, and app description.

  • Planhat (SAML) has a new integration guide.

  • Exaforce (API Service) now has the okta.idps.read scope.

  • Seismic (SAML) has a new logo, app description, and configuration guide.

  • BridgeBank Business eBanking (SWA) was updated.

  • Humana Military (SWA) was updated.

  • Jotform (SAML) was updated.

  • Scalefusion OneIdP (SCIM) was updated.

2026.01.2: Update 2 started deployment on February 2

Generally Available

Fixes

  • Arbitrary headers could be added to SCIM requests during the On-Premises Provisioning agent integration. (OKTA-1000055)

    ONLY DOC AFTER ALL PROD CELLS DEPLOY. REMOVE DNP FOR 2026.02.0

  • When users authenticated using a third-party IdP, the AMR claims for MFA weren't included in the token. (OKTA-1020028)

  • When creating a group rule, after entering ten groups, admins needed to enter complete or nearly-complete group names to add more groups to the rule, rather than being able to enter a partial name and select from a list. (OKTA-1067501)

  • When admins created a user and chose a realm to assign, the realm wasn't assigned and an error occurred upon save. (OKTA-1091903)

  • Admins couldn't revert the default network zone's name back to LegacyIpZone after they'd modified it. (OKTA-1045470)

  • Active Directory imports failed with a ProcessMembershipsAndDeletedObjectsJob: null error. (OKTA-1098885)

Okta Integration Network

  • SparrowDesk (SAML) is now available. Learn more.

  • Eon.io (SAML) is now available. Learn more.

  • NoClick (SAML) is now available. Learn more.

  • Druva Data Security Cloud (API) is now available. Learn more.

  • SimCorp Dimension (SAML) is now available. Learn more.

  • Falcon Shield (API Service Integration) has a new scope. Learn more.

  • Rubrik Security Cloud (API Service Integration) has a new integration guide. Learn more.

  • SimCorp Dimension (SCIM) has a new SCIM configuration guide URL and a new app description.

  • AWS IAM Identity Center (SAML) has multiple ACS URLs support.

  • ShareCal (SAML) has an updated App Instance Property & Configuration Guide link.

  • ClickUp (SAML) has a new configuration guide and app description.

  • ClickUp (SAML) was updated.

  • CardinalOps (SAML) was updated.

  • OrbiPay Payments (SWA) was updated.