Eligibility tasks

There are certain configuration tasks you must complete before your org is eligible for self-service upgrade. Once the configurations are complete, the self-service upgrade notification appears on your Admin Dashboard and you can schedule your upgrade.

Task Description
Update event hook endpoints. If your org uses an event hook endpoint that depends on the phone number field, update the endpoint to handle its new location.

Update Event hook endpoints

Prepare Okta Mobile users for the upgrade. Okta Mobile isn't available after the upgrade.

Prepare Okta Mobile users for upgrade

Disable Okta Mobility Management. Identity Engine doesn't support Okta Mobility Management.

Disable Okta Mobility Management

Turn off Device Trust for mobile devices. Follow the migration steps to ensure that Device Trust continues to work after the upgrade.

Turn off Device Trust on mobile devices

Delete IWA routing rules. Okta IWA agent isn't supported.

Delete Integrated Windows Authentication routing rules

Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

Migrate from the AWS Command Line Interface. Identity Engine doesn't support older AWS CLI tools. To determine if you use the AWS CLI, search for the following in your System Log (not comprehensive):

gimme-aws-creds saml2

aws okta-awscli

If you require CLI access, upgrade using one of the following methods:

  • Switch to the AWS IAM Identity Center before upgrading to Identity Engine. The Okta AWS SSO application is SAML-based, and the Okta AWS CLI interacts with AWS IAM using AssumeRoleWithSAML (see next item). Okta doesn't have an OIDC-based AWS federation application at this time.

  • Use the Okta AWS CLI application post-upgrade. The okta-aws-cli Command Line Interface is native to Identity Engine.

    Because the CLI requires the Identity Engine policy framework, continue using the current solution until the upgrade is complete. To test workstation configuration prior to the upgrade, see Test AWS CLI on Classic Engine.

Use Sign-In Widget version 5.11.0 or later. If you use a custom Okta-hosted sign-in page, check the Sign-in Widget version. If it's earlier than 5.11.0, upgrade to the latest version. Remove the deprecated JavaScript methods.

Upgrade your widget

Deprecated JavaScript methods in the widget

Prepare your custom sign-in page. Custom sign-in pages may not work after you upgrade to Identity Engine. Prepare your deployment model for the upgrade.

Prepare your customizations for upgrade

Review SDK documentation. If your org uses the Okta SDKs for authentication and you're planning to move to Okta FastPass, review the docs:

Okta, Inc GitHub

Okta Identity Engine for Okta Developers

Disable State Token All Flows or ignore the warning. State Token All Flows (STAF) isn't compatible with Identity Engine. If STAF is enabled in your Classic Engine org, you receive a warning. If you choose to not disable STAF, dismiss this warning and proceed with the upgrade.
Build a test OIDC application. If you need a test app to demonstrate the end-to-end authentication experience before and after you upgrade, you can build a custom app with Okta SDKs.

Sign users in to your SPA using the redirect model and Auth JS

Prepare Terraform for the upgrade. If you use Terraform to manage one or more Okta tenants, ensure that you have the latest version of the Terraform provider and your script files are in sync.

Prepare Terraform for upgrade

Skip auto-enrollment of the email authenticator.

If your org has a factor enrollment policy where email is set to optional or if your org doesn’t use MFA, you can skip auto-enrolling the email authenticators for your end users.

Skip auto-enrolling email authenticator