Okta Classic Engine release notes (Production)

Version: 2025.07.0

July 2025

Generally Available

Sign-In Widget, version 7.33.0

For details about this release, see the Sign-In Widget Release Notes. For more information about the Widget, see the Okta Sign-In Widget.

Release notes available in Japanese

Release notes for Okta Classic Engine are now translated to Japanese for each release. These translations are published within a week of the English publication.

Okta Provisioning agent, version 2.3.1

This release contains security enhancements. See Okta Provisioning Agent and SDK version history.

Okta Hyperdrive agent, version 1.5.1

This version includes security enhancements.

Okta LDAP agent, version 5.24.0

This version of the agent includes the following:

  • Configuration files are now encrypted
  • Local LDAP agent configuration files are monitored for unexpected changes
  • install.log created to help debug installation issues
  • Security enhancements

Google Workspace improvements

The following changes have been made to improve the performance of the Google Workspace app integration:

  • More robust group-related error handling
  • Eliminated duplicate group creation upon import when Import Groups is disabled

Okta MFA Credential Provider for Windows

This release includes bug fixes and security enhancements.

LDAP Interface OIDC app

LDAP Interface now has an application session policy that only enforces password. This only applies to Okta orgs without a prior LDAP interface setup. For orgs with an existing LDAP interface setup, global session policies still control LDAP Interface authentication policies. See Set up and manage the LDAP Interface.

Conditions for create user permission

You can now add conditions to the Create user permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permission conditions.

Bypass ASN binding with the Default Exempt IP Zone

The ASN binding feature associates admins with the IP address that they signed in from. If the IP changes during a session, the admin is signed out of Okta, and an event appears in the System Log. To bypass IP and ASN binding, you can add the client IP to the Default Exempt IP Zone. See IP exempt zone.

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See Define attribute statements.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

New look and feel in the Admin Console

The Admin Console now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

New look and feel in the End-User Dashboard

The End-User Dashboard now provides a new look and feel, including redesigned side and top navigation menus and the addition of a gray background.

Restrict access to the Admin Console

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings.

Early Access

Network restrictions for OIDC token endpoints is EA in Preview

You can now apply network restrictions to OIDC token endpoints to enhance token security. See Create OpenID Connect app integrations.

Okta Integration IdP type is EA in Preview

The Okta Integration IdP allows you to use an Okta org as an external IdP, simplifying configuration and providing secure defaults. See Add an Okta Integration Identity Provider.

Universal Directory map toggle

The new Universal Directory (UD) map toggle enables admins to link a user's email address to their identifier. This allows admins to enable the self-service registration feature. See General Security.

Enforce MFA for Identity Governance admin apps

The Enforce MFA for Identity Governance admin apps feature is no longer available as a self-service Early Access feature. Admins must contact Okta Support to enable or disable this feature. See Enable MFA for the Admin Console.

OU moves for LDAP-provisioned users

When an admin configures Okta to LDAP provisioning settings, they can now move users to a different Organizational Unit (OU) by changing their group assignments. See Configure Okta to LDAP provisioning settings.

Okta Hyperspace agent, version 1.5.1

This version includes security enhancements.

System Log event for monitoring LDAP Agent config file changes

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

On-prem Connector for Oracle EBS

On-prem Connector for Oracle EBS connects Oracle EBS on-premises apps with Okta Identity Governance. It helps admins discover, view, and manage Oracle EBS entitlements directly in Okta. This integration enhances security, saves time, streamlines entitlement management, and eliminates the need for custom integrations. See On-prem Connector for Oracle EBS and Supported entitlements by On-prem Connector.

Fixes

  • Admins couldn't edit the Need help signing in? link on the Sign-In Widget (third generation). (OKTA-917840)

  • Group push errors were displayed for app instances that didn't have provisioning enabled. (OKTA-924631)

  • Client location, IP address, and user agent weren't visible for security.breached_credential.detected events in System Log. (OKTA-934324)

  • When any of the When a user is reactivated in the app options were enabled for an app integration, the first attempt to re-login using ADSSO by disconnected AD users failed. (OKTA-939542)

  • Additional roles couldn't be added to the base Role attribute for SmartRecruiters app integrations. (OKTA-944146)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

  • Some users who were logged out of Okta by the breached credentials protection feature had custom attribute values deleted from their user profile. (OKTA-964312)

Okta Integration Network

  • Cockroach Labs (SCIM) is now available. Learn more.
  • Grace (OIDC) is now available. Learn more.
  • Hive (SCIM) is now available. Learn more.
  • Optmyzr (OIDC) is now available. Learn more.
  • Planfix (SCIM) is now available. Learn more.
  • Planfix (SAML) is now available. Learn more.
  • Splunk Add-on for Okta Identity Cloud (API integration) is now available. Learn more.

Version: 2025.06.0

June 2025

Generally Available

Per-app SAML certificate expiry notifications

The Tasks page now displays certificate expiry notifications for individual SAML apps.

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Okta Provisioning Agent now supports Group Push with SCIM 2.0

You can now use Group Push with on-premises apps by using Okta Provisioning Agent and SCIM 2.0. See Create SCIM connectors for on-premises provisioning.

New look and feel in the Partner Admin Portal app

The Partner Admin Portal app pages now have a new look and feel, including redesigned side and top navigation menus.

Define default values for custom user attributes

You can now define default values for custom attributes in a user profile. See Add custom attributes to an Okta user profile.

Domain restrictions on Realms

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See Manage realms.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Improvements to Okta RADIUS

Okta RADIUS now supports Java version 17 and has a new 64-bit installer.

Authentication claims sharing between Okta orgs

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Add a SAML Identity Provider.

Create dynamic resource sets with conditions

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions.

Manage Subscription button removed

The Manage Subscription button has been removed from the Settings page.

Admins prevented from deleting published app instances

When an app instance has the Published version status, admins can no longer delete it from their org.

Early Access

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Fixes

  • SDK strings that contained iOS were parsed as unknown operating systems. (OKTA-856044)

  • On the Settings page, the Technical contact field displayed a "This field cannot be left blank" error even when there was text in the field. (OKTA-939469)

  • In the End-User Dashboard, if a user resized the browser to a mobile-sized view, the navigation menu opened and closed repeatedly. (OKTA-940213)

  • Admins received a 500 error when they attempted to delete an optional attribute in Profile Editor. (OKTA-941778)

Okta Integration Network

  • Pluto Bioinformatics is now available (SAML). Learn more.
  • FORA is now available (OIDC). Learn more.
  • Teamplify is now available (OIDC). Learn more.
  • XOPS is now available (API Service Integration). Learn more.

Weekly Updates

2025.6.1: Update 1 started deployment on June 23

Generally Available

Frame-ancestors rollout for Content Security Policy

Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint and /API/v1/internal/device/nonce endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See Trusted Origins for iFrame embedding.

In addition, Okta is rolling out the use of nonce with the script-src directive of the CSP for the /auth/services/devicefingerprint. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce addition to script-src.

New On-Prem MFA agent version

Version 1.8.3 of the On-Prem MFA agent is now available. This version includes security enhancements.

Fixes

  • App logos could be added or updated using any SVG format. (OKTA-876028)

  • After the Okta Active Directory or LDAP agents was successfully updated, the corresponding email notification reported that zero agents were running the new version. (OKTA-876968)

  • The Proxy IP Usage report returned unknown values for Proxy Type. (OKTA-930091)

  • SAML attribute statements were incorrectly hidden on some users' custom SAML app pages. (OKTA-939543)

  • The table on the HealthInsight page was misaligned. (OKTA-948682)

  • When the Governance for admin roles feature was enabled, admins could create custom roles with the same name as a standard role. (OKTA-950114)

  • When some AD or LDAP imports failed, the warning "Incorrect result size: expected 1, actual 2" was displayed in the job UI, but no System Log message was written. (OKTA-638810)

  • During a full import with AD DirSync, appuser.CN was cleared, which resulted in any attributes mapped from appuser.CN to the Okta user profile being cleared. (OKTA-944122)

  • When an admin opened a video from the Getting Started page, the close button wasn't visible. (OKTA-946268)

  • Editing a previously blank default value of an attribute in the Profile Editor failed if the Attribute length was set. (OKTA-958747)

Okta Integration Network

  • Complyfirst.co (OIDC) is now available. Learn more.
  • Duo Security SCIM Provisioning (SCIM) is now available. Learn more.
  • Genea Access Control (SAML) is now available. Learn more.
  • Genea Access Control (OIDC) is now available. Learn more.
  • Snapshot AI (OIDC) is now available. Learn more.

2025.6.2: Update 2 started deployment on June 30

Generally Available

Fixes

  • The Report a Security Issue section appeared on the Sign-In Help page even though the End User Help Form setting was disabled. (OKTA-898824)

  • When an admin retried a failed Office365 provisioning task, the Immutable ID value was cleared. (OKTA-913410)

Okta Integration Network

Version: 2025.05.0

May 2025

Generally Available

App permissions no longer include agent permissions

Now when you assign the Manage applications permission to an admin, the Manage agents permission isn't automatically granted. For existing admin role assignments that include the Manage applications permission, the Manage agents permission is retained in the assignment. See Role permissions.

Realms per org limit expanded

You can now create up to five thousand realms per org. See Manage realms

Microsoft Office 365 Single Sign-on integration supports SHA-256

The Office 365 SSO integration (WS-Fed Auto and Manual) now uses SHA-256 for signing the authentication token.

New versions of Okta Provisioning agent and SDK

Okta Provisioning agent 2.3.0 and Okta Provisioning agent SDK 2.2.0 are now available. These releases contain bug fixes and minor improvements. See Okta Provisioning Agent and SDK version history.

Device assurance OS version updates

Device assurance policies now support the following OS versions

  • Android 12, 13, 14, and 15 to security patch 2025-05-01
  • iOS 18.4.1
  • macOS Sequoia 15.4.1
  • Windows 10 (10.0.17763.7136, 10.0.19044.5737, 10.0.19045.5737)
  • Windows 11 (10.0.22621.5189, 10.0.22631.5189, 10.0.26100.3775)

Removal of device support for Windows 11 21H2

Okta Verify no longer supports devices that use Windows 11 21H2. See Supported platforms for Okta Verify.

Support for additional attributes in Office 365's Universal Sync

Office 365's Universal Sync now enables users to access Kerberos resources with Windows Hello for Business. See Supported user profile attributes for Office 365 provisioning

Improved Documentation Search

The search functionality on help.okta.com has been updated with the following improvements:

  • Localized Japanese search: Supports localized searches in Japanese for all translated content.
  • Focused results: Searches take place directly in Okta help instead of rerouting users to the Okta Help Center.

These features are now available on help.okta.com to help users quickly locate relevant documentation for their specific needs.

Okta Active Directory agent, version 3.20.0

This release includes support for enhanced incremental imports from AD using DirSync. Incremental import with DirSync avoids full imports and offers delta imports with AD that significantly improves performance. Configuration and opt-in is required within Okta after an agent update. This release also includes security enhancements and bug fixes. See Okta Active Directory agent version history

New protected action

Creating API tokens is now a protected action. When you enable this feature in your org, admins are prompted for authentication when they perform create an API token, at an interval that you specify. This additional layer of security helps ensure that only authorized admins can perform key tasks in your org. See Protected actions in the Admin Console.

Updates to the advanced search filters

The operators dropdown menu in the Advanced search section on people, groups and group membership pages shows all options and grays out the options that aren't applicable.

ADFS version 1.8.3

Bug fixes and security hardening.

Updated text for the Login.gov IdP

For the Login.gov IdP, the Type of Identity Verification label has been updated to Type of Service Level, and the list of possible service levels has been updated.

MFA enabled by default in new app sign-on rules

Multifactor authentication (MFA) is now enabled by default in new app sign-on rules when MFA factors are available to users. Additionally, reauthentications are now set to once per day by default.

Entitlement claims

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OIDC claims and SAML assertions. See Generate federated claims.

Early Access

Breached Credentials Protection

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See Breached credentials detection.

This feature is following a slow rollout process beginning on May 15.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Fixes

  • When doing incremental imports using Okta Provisioning agent, users whose profiles weren't modified were removed from groups in Okta. (OKTA-884952)

  • The border for the table of Active Directory instances on the Delegated Authentication page was missing. (OKTA-893589)

  • When admins enabled the Unified Look and Feel for Okta Admin Console feature, some user interface elements didn't render correctly on Default Policy pages. (OKTA-903370)

  • Some users saw a login hint in the UserHome page URL for OIDC apps even though login hints were disabled. (OKTA-919432)

  • Super admins couldn't always access Workflows with the role-based access control (RBAC) feature enable. (OKTA-920704)

  • When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if IdP didn't provide any AMR claims. (OKTA-922086)

  • PERIMETER81_VPN was incorrectly announced as a supported IP service category in enhanced dynamic zones. (OKTA-923426)

  • When a call to activate a downstream app user failed while activating a user, the user was stuck in an activating status. (OKTA-925217)

  • If a third-party SAML IdP sent the session.amr SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)

  • Starting with version 136, Chrome no longer returned the thirdPartyBlockingEnabled signal, and users whose Device Assurance policies relied on the signal were denied access to their resources. (OKTA-927884)

Okta Integration Network

Weekly Updates

2025.5.1: Update 1 started deployment on May 19

Generally Available

On-Prem MFA agent, version 1.8.2

Version 1.8.2 of the On-Prem MFA agent is now available. This version includes security enhancements.

New filter and columns for Access Certifications reports

You can use the Campaign ID filter in the Past campaign details and Past campaign summary reports. You can find a campaign's ID from System Log events or from the URL for the campaign details page. Additionally, the following columns are available for use in the Admin Console.

  • Past campaign details report:

    • User email
    • Reviewer email
    • Reviewer reassigned
  • Past campaign summary report:

    • Campaign resource count

Fixes

  • Some System Log entries showed the wrong user agent operating system version for risk scoring and new device detection events. (OKTA-792841)

  • The Application Usage report didn't include successful RADIUS authentications. (OKTA-815504)

  • Some users didn't receive emails from Okta. (OKTA-826144)

  • When users edited an authorization server on the Security > API page, the value of the Type column on the Claims tab incorrectly wrapped to a second line. (OKTA-863707)

  • Admins didn't receive the correct notifications when they had both role and admin email notifications selected. (OKTA-876846)

  • Some ADSSO functionality didn't work as expected. (OKTA-880273)

  • When users edited an authorization server on the Security > API page, some user interface elements had the wrong background color. (OKTA-893509)

  • Some user interface elements on the API Token page had the wrong background color. (OKTA-893608)

  • Some users saw an extra line at the bottom of the Identity Providers page. (OKTA-893613)

  • Some user interface elements had incorrect spacing on the Okta API Scopes tab of app pages. (OKTA-905018)

  • Email notifications for the super admin role weren't applied consistently when all admin email notification settings were selected for the role. (OKTA-906587)

  • Agents in an error state were properly displayed on the Agent Monitors page for their respective directory integration but weren't displayed on the Admin Dashboard. (OKTA-910056)

  • On the Add resource dialog, the Show more button didn't display all the resources that were already included in the resource set. (OKTA-921890)

  • Some Org2Org users were unable to sign in after they completed multifactor authentication. (OKTA-932258)

  • Some Org2Org users saw an error message after they completed multifactor authentication when Claims Sharing was enabled. (OKTA-932402)

  • When Okta-to-Okta claims sharing was enabled for a Classic Engine org to an Identity Engine org flow, and the State Token for All Flows feature flag was enabled in the Classic Engine org, users were prompted for MFA on the Identity Engine org when MFA had already been completed on the Classic Engine org. (OKTA-932454)

  • After signing in to Okta on a mobile device (either Android or iOS), opening the menu resulted in the screen flickering. (OKTA-933477)

  • Updating an LDAP-sourced user profile sometimes resulted in an error. (OKTA-939330)

Okta Integration Network

  • Attribute Dashboard (OIDC) now supports IdP-initiated SSO flows.
  • DX (SAML) is now available. Learn more.
  • Embrace (SAML) is now available. Learn more.
  • Merkle (OIDC) is now available. Learn more.
  • SAP Concur by Aquera is now available. Learn more.
  • SAP S/4HANA by Aquera (SCIM) is now available. Learn more.

2025.5.2: Update 2 started deployment on May 27

Fixes

  • The online help link on the Brands page didn't link to the correct page. (OKTA-654709)

  • LDAP agents were displayed as operational after registration, even if they hadn't successfully connected to Okta. (OKTA-886963)

  • Some user interface elements in pages under the Customizations menu didn't render correctly when the Unified UI for the Admin App feature was enabled. (OKTA-893521)

  • The border on the Delegated Authentication page for LDAP used squared corners instead of rounded corners. (OKTA-893569)

  • Some Org2Org users were unable to sign in after they completed multifactor authentication. (OKTA-932258)

  • Several of the Administrators pages didn't render correctly when the Unified look and feel for Okta Admin Console feature was enabled. (OKTA-934633)

  • Some pages didn't load correctly when the Unified look and feel for Okta Admin Console feature was enabled. (OKTA-938750)

Okta Integration Network

  • CyberDefenders (OIDC) is now available. Learn more.
  • Google Cloud Workforce Identity Federation (OIDC) is now available. Learn more.
  • Pro-Vigil (SAML) is now available. Learn more.

2025.5.3: Update 3 started deployment on June 2

Generally Available

RingCentral uses new default phone number logic

The RingCentral app integration's logic for detecting and populating phone numbers has been updated to work with both DirectNumber and IntegrationNumber entries.

Integrator Free Plan org now available

The Integrator Free Plan org is now available on the Sign up page of the developer documentation site. These orgs replace the previous Developer Editions Service orgs, which will start being deactivated on July 18th. See Changes Are Coming to the Okta Developer Edition Organizations. For information on the configurations for the Integrator Free Plan orgs, see Okta Integrator Free Plan org configurations.

Fixes

  • When an admin changed a user attribute in Okta, the profile in Zendesk reverted back to the default language of the Zendesk account. (OKTA-916240)

  • Some users incorrectly received an Invalid Phone Number error when they enrolled an SMS factor. (OKTA-923373)

  • When an admin configured the Salesforce.com connector with the Customer Portal user type and then ran an import, no users were fetched. (OKTA-931016)

  • After signing in to Okta on a mobile device (either Android or iOS), opening the menu resulted in the screen flickering. (OKTA-933477)

  • When third-party IdP claims sharing was enabled, some claims were missing from the System Log. (OKTA-936530)

  • Some pages didn't load correctly when the Unified look and feel for Okta Admin Console feature was enabled. (OKTA-938750)

  • Updating an LDAP-sourced user profile sometimes resulted in an error. (OKTA-939330)

Okta Integration Network

  • Conviva (SCIM) is now available. Learn more.
  • Paylocity (Demo)(SCIM & SAML) is now available. Learn more.
  • SELR.ai (OIDC) is now available. Learn more.
  • Wirespeed (API service) is now available. Learn more.