Rollback to Classic Engine

If a problem occurs during the Identity Engine upgrade process, Okta provides an option to revert an org to Classic Engine. However, the need to roll back is rare. You can resolve most issues by adjusting certain configurations.

Follow the Post-upgrade tasks and test critical functionality. If you discover a problem within the first two weeks of testing, Okta can help you roll back to Classic Engine.

Upgrade issues that can require rollback

Look for these issues during the 48 hours of testing:

  • Critical application authentication doesn’t work as expected

  • End users can’t access their Okta dashboard

  • End users can’t access assigned resources with configured factors

  • New end users can’t register an Okta account

  • Multifactor Authentication doesn’t work for a large volume of users

  • Interruptions with JIT / Inbound SAML or user provisioning

  • Admins can’t access the Admin Console

  • Admins can’t resolve issues for end users (such as account unlock and password reset)

Usually, you can resolve these issues by adjusting your org's customization settings. Reach out to your Okta account team if you experience any of these issues after the upgrade.

Org behavior after rollback

When an org rolls back to Classic Engine, the org behavior can change if admins make changes.

The following scenarios can occur during the rollback process for both admins and end users:

Admin changes

  • New users, groups, and applications created in Identity Engine persist after rollback.

  • New authentication policies, global session policies, or policy settings created in Identity Engine don't persist, or they fall back to default settings.

  • Changes to password recovery or MFA enrollments don't persist, or they fall back to default settings.

  • New Identity Engine functionality (Okta FastPass, Device Trust v2) is deactivated after rolling back to Classic Engine.

  • Push notifications and TOTP are enabled, even if you didn't enable these factors in your Classic Engine org before the upgrade. If you don't want them enabled, go to Security > Multifactor > Factor Types. Select Okta Verify, and then click Deactivate.

  • If Phone is enrolled as an authenticator in Identity Engine, both SMS and Voice are available for authentication after rollback.

User changes

  • Users who set up recovery factors or authentication factors on Identity Engine remain after rolling back to Classic Engine.

  • User password and profile changes remain after rolling back to Classic Engine.

  • New users who signed up to Identity Engine exist after rolling back to Classic Engine.

  • Activation or recovery emails and links may not work. You can fix this by generating new activation emails and password reset emails.

  • The user Sign-In Widget experience reverts to the Classic Engine version.

  • Security Questions that you configured in Classic Engine for both account recovery or MFA reset to recovery only.

  • Users must re-authenticate when they access the Settings page or the End-User Dashboard.

  • If the Phone authenticator is available for voice calls and SMS, and the user enrolls in just one, only that one is available after rollback.