Pre-upgrade checklist

Before you upgrade to Identity Engine, there are certain configurations you must first set up. These configurations ensure a successful upgrade, so your org has the latest Identity Engine features.

Task Description
Learn what features aren't supported. Learn about features that are no longer supported in Identity Engine.


Switch to agentless Desktop Single Sign-on. Okta IWA agent isn't supported.

Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

Disable Okta IWA Web agent authentication for specific clients

Install and configure the Okta IWA Web agent for Desktop Single Sign-on

Disable Factor Sequencing. Identity Engine replaces Factor Sequencing with Assurance Models. These fine-grained controls increase security levels based on specific scenarios.

Upgrade from Factor Sequencing to Assurance Models

Turn off Device Trust for mobile devices. Follow the migration steps to ensure that Device Trust continues to work after the upgrade.

Migrate Device Trust to Okta FastPass

Disable Okta Mobility Management. Identity Engine doesn't support Okta Mobility Management.

Disable Okta Mobility Management

Migrate to the new RADIUS app model. Identity Engine doesn't support RADIUS legacy mode.

Migrate RADIUS legacy mode to app model

Migrate from AWS CLI to AWS SSO. Identity Engine doesn't support AWS CLI. If your org uses this feature, migrate to the AWS SSO app in the OIN.

To determine if you use the AWS CLI, search with the following queries:

client.userAgent.rawUserAgent eq "gimme-aws-creds 2.4.3"

client.userAgent.rawUserAgent eq "saml2aws/1.0 (darwin amd64) Versent"

Use Sign-In Widget version 5.11.0 or later. If you use a custom Okta-hosted sign-in page, check the Sign-in Widget version. If it's earlier than 5.11.0, upgrade to the latest version. Remove the deprecated JavaScript methods.

Upgrade your widget

Deprecated JavaScript methods in the widget

Review SDK documentation. If your org uses the Okta SDKs for authentication and you're planning to move to Okta FastPass, review the docs:

Okta, Inc GitHub

Okta Identity Engine for Okta Developers

Disable State Token All Flows or ignore the warning. State Token All Flows (STAF) isn't compatible with Identity Engine. If STAF is enabled in your Classic Engine org, you receive a warning. If you choose to not disable STAF, dismiss this warning and proceed with the upgrade.