Okta Classic Engine release notes (Preview)

Generally Available

Version: 2026.05.0

Workday entitlement management

Admins can now manage entitlements for Workday app instances on Okta. This feature allows for the discovery and governance of user-based security groups to enable automated access requests and certifications.

Report exports

You can now choose between CSV and GZIP export formats when generating the following reports:

Okta usage
Application usage
MFA usage

Secure SaaS and Okta Service Accounts

Manage and secure passwords for SaaS app service accounts and Okta service accounts with Okta Privileged Access. You can now assign new Service Accounts permissions to custom roles to delegate service account management duties to non-super admins. See Manage service accounts and Role permissions.

System Log event for unconfigured identifiers

When JIT is enabled for Active Directory and a user authenticates with an unconfigured identifier, the event now appears in the System Log.

System Log event for DirSync imports

When Active Directory agent compatibility is verified for DirSync-based imports, the event now appears in the System Log.

New System Log fields for matched network zones

Okta now includes richer network zone match information in System Log events. When a request is blocked by a network zone (security.request.blocked) or evaluated against a sign-on policy (policy.evaluate_sign_on), the System Log now surfaces the names and IDs of all matched network zones, across IP zones, Dynamic Network Zones (DNZ), and Enhanced Dynamic Network Zones (EDNZ), through new ZoneIdMatch and ZoneNameMatch fields. Up to 10 matched zones are reported per event.

These new fields provide more granular and structured network zone context than the existing Client.Zone field. This gives admins and security teams precise, actionable detail for blocked requests and policy evaluations, making SIEM investigations and audit reviews significantly easier. See Troubleshoot network zone issues using System Log.

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

DirSync group imports for Active Directory

For Active Directory (AD) integrations, the Provisioning tab now provides an Enable imports with AD using DirSync checkbox. When you enable the checkbox, admins can perform incremental group imports using DirSync. See Configure Active Directory import and account settings.

Early Access

Fixes

After deactivating an AD Agent, an incorrect format of the version for the agent was displayed. (OKTA-1117122)
The Sign-In Widget displayed an error after users completed a self-service password reset when the app authentication policy had the Keep Me Signed In prompt enabled. (OKTA-1152243)
AMR claim updates weren't applied to the Salesforce (Federated ID) app integration. (OKTA-1164030)
On the Administrator assignment by role page, the Preview role pane displayed "L10N_ERROR[okta.apps.clientCredentials.read.name.code]" instead of the View client credentials permission. (OKTA-1166616)
Manual remediation was required when reviewers revoked a user’s access to Active Directory-source groups in a campaign. (OKTA-1167090)

Okta Integration Network

TOPdesk Operator by FuseLogic (SCIM) was updated.
Magnite Streamr (OIDC) is now available. Learn more.
Matik (Basic Auth) was updated.
Console (OIDC) has a new app description.
Sastrufy has a new app name and a new configuration guide.
WideField Security - Detect and Remediate (API integration) is now available. Learn more.
Console (API Service) has a new icon and description.
Yunu (OIDC) is now available. Learn more.
YipitData Agent (OIDC) is now available. Learn more.
Software Analytics (OIDC) has a new app name (Antenna), icon, description, new Redirect URIs, and integration guide. Learn more.
Ternary (OIDC) is now available. Learn more.
Syndio (OIDC) is now available. Learn more.
Form (OIDC) is now available. Learn more.
Truepic Vision (OIDC) is now available. Learn more.
Tandem Health (OIDC) is now available. Learn more.
CJ Affiliate (OIDC) is now available. Learn more.
Asset Integrity for Pipelines (OIDC) is now available. Learn more.
Metlife MyBenefits (SWA) was updated.
Conduit Security (OIDC) is now available. Learn more.
Harmony (SCIM) is now available. Learn more.
Harmony (SAML) is now available. Learn more.
LinkedIn Sales Navigator (SCIM) is now available. Learn more.
Haystack (SCIM) is now available. Learn more.
Suger (OIDC) has a new Redirect URI.
ThoughtSpot (OIDC) is now available. See Create ThoughtSpot OIDC integration.
Matik (SCIM) is now available. Learn more.
Matik (SAML) is now available. Learn more.
JumpCloud (OIDC) is now available. See JumpCloud.
TOPdesk Operator by FuseLogic (Entitlements Management) is now available. Learn more.

2026.05.1: Update 1 started deployment on May 14

Fixes

When a refresh token failure or revocation event was logged in the System Log, an incomplete version of the refresh token hash appeared in the event's target.detailEntry. (OKTA-1145851)
The List all profile mappings API sometimes returned an error if the request didn't include the sourceId or targetID parameters. (OKTA-1153229)
In the Admin Console, status site links for some cells pointed to an incorrect status page. (OKTA-1158204)
The Manage Event Hooks permission didn't allow an admin or service app to create an event hook. (OKTA-1162004)
The debugContext.isSelfInitiated field was missing from System Log entries for user.account.update_password events. (OKTA-1166403)
When an authentication error occurred, the Sign-In Widget displayed an SQL error message instead of a helpful one. (OKTA-1168939)
When an admin viewed the Preview pane for Custom Admin Roles, some labels for identity permissions were displayed incorrectly. (OKTA-1168945)

Okta Integration Network

Augment Code (OIDC) was updated.
Harmony SASE (SAML) has a new icon, display name, and description. Learn more.
Redblock AI (SAML) is now available. Learn more.
Dokio (SCIM) has a new API and configuration guide.
Common Room (SCIM) now supports Group Push.
Rubrik Security Cloud now supports the following scopes:
- okta.authorizationServers.manage
- okta.authorizationServers.read
- okta.idps.manage
- okta.idps.read
- okta.networkZones.manage
- okta.networkZones.read
Check Point SASE (SCIM) has been updated with new regions.
Stripe has a new configuration guide. Learn more.
Stripe (SCIM) is now available. Learn more.
Butterfly Security (OIDC) is now available. Learn more.
Butterfly Security (SCIM) is now available. Learn more.
Wrike (SCIM) now supports Group Push.
Scribble Maps (SCIM) is now available. Learn more.
Scribble Maps (OIDC) is now available. Learn more.
Scribble Maps (SAML) is now available. Learn more.
Cimento AI (SCIM) is now available. Learn more.
Cimento AI (SAML) is now available. Learn more.

2026.05.2: Update 2 started deployment on May 21

Provisioning for Axway Amplify: Provisioning is now available for the Axway Amplify app integration. When you provision the app, you can enable security features like Entitlement Management. See Axway Amplify.

Fixes

Read-only admins could refresh app groups for apps that support Group Push. (OKTA-1114983)
The System Log displayed duplicate Push user deactivation to external application events for SAML apps with SCIM provisioning. (OKTA-1124966)
Some deactivated users retained the Deactivating status and couldn't be modified in the Admin Console or through the API. (OKTA-1138239)
When a user was assigned a SAML app through a group, they couldn't always access the app after signing in to Okta. (OKTA-1140346)
When group rule evaluations failed, the System Log displayed exception messages and SQL queries. (OKTA-1177889)

Okta Integration Network

Icite (API Service) now has the okta.roles.read scope.
Gatekeeper (SCIM) is now available. Learn more.
Butterfly Security (API Service) is now available. Learn more.

Preview org features

Secure SaaS and Okta Service Accounts

New System Log fields for matched network zones

SHA-256 digest algorithm support

Okta now supports the SHA-256 digest algorithm when hashing SAML AuthnRequests that are sent to external IdPs.

DirSync group imports for Active Directory

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See ../provisioning/workday/workday-provisioning.htm#provisioning-workday-workday-provisioning__incremen

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Descriptive System Log events

When Okta identifies a security threat, the resulting security.threat.detected System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Federation Broker Mode

The new Federation Broker Mode allows Okta SSO without the need to pre-assign apps to specific users. Access is managed only by the authentication policy and the authorization rules of each app. This mode can improve import performance and can be helpful for larger-scale orgs that manage many users and apps.

User Import Scheduling

When importing users from an app to Okta, you can now schedule imports to occur at hourly, daily, or weekly intervals. Scheduling imports at a time that is convenient for your org reduces the likelihood of service disruptions and eliminates the need to start imports manually. If an application allows incremental imports, you can create both full and incremental import schedules. This is a self-service feature.

Null values for SCIM provisioning

You can now submit null values for any attribute type to Okta when using SCIM provisioning. This change reduces the error messages customers receive and simplifies end user identity management.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.

LDAP admin password reset

For orgs integrated with LDAP, admins can now perform password resets for an active individual end user. See Reset a user password.

LDAP password reset option

You can now configure LDAP delegated authentication settings to allow users to reset their passwords. This change reduces the time needed for password management and allows users to reset their passwords quickly and easily. See Enable delegated authentication for LDAP.

Windows Device Registration Task, version 1.4.1

This release fixed the following issues:

If there was a space in the sAMAccountName, an error appeared when installing the Okta Device Registration task and the installation completed but didn't function.
An unknown publisher warning appeared when the Okta Device Registration MSI file was double-clicked.

Affected customers should uninstall the registration task and install 1.4.1 or later. See Enforce Okta Device Trust for managed Windows computers and Okta Device Trust for Windows Desktop Registration Task Version History.

Incremental Imports for CSV

Incremental imports improve performance by importing only users who were created, updated, or deleted since your last import. See Manage your CSV directory integration. Note that this feature is being re-released having previously being released to Production in 2020.09.0.

Password changed notification email

To eliminate unnecessary email notifications, the Password changed notification email setting is no longer enabled by default on new preview orgs. See Password changed notification for end users.

Office 365 Silent Activation

Using Okta as the Identity Provider, Okta Office 365 Silent Activation allows for a seamless experience for your Microsoft Office 365 end users accessing Office 365 apps on domain-joined shared Workstations or VDI environments. After your end users have signed in to a domain-joined Windows machine, no further activation steps are required. See Office 365 Silent Activation: New Implementations.

End-user Welcome emails localized

The ability to localize the Welcome email that Okta sends to new end users by referencing the users' default locale property is now Generally Available. See Configure general customization settings.

People page improvements

You can now filter the People page by user type. See Universal Directory custom user types known issues.

Early Access features, auto-enroll

You can now opt to auto-enroll in all Early Access features, instead of having to enable them as they become available.

Connecting Apps to Okta using the LDAP Interface

The LDAP Interface allows you to authenticate legacy LDAP apps to Universal Directory in the Cloud. With the LDAP Interface, authentication is done directly against Okta through LDAP, without the need for an on-premise LDAP server. In addition, the LDAP interface supports other LDAP functions like search.