Upgrade validation tests
Validation tests ensure that your org performs as expected in Identity Engine.
This isn't a comprehensive list of tests. Okta recommends testing all of your critical use cases end-to-end in a Preview environment before you upgrade in Production. Testing in Preview helps you understand how the upgrade affects your org, so you can make adjustments before you go live.
Be sure that your Preview org has the same configuration as your Production org. If your Preview and Production orgs don't match, adjust your configurations before you proceed (you can use bookmark apps instead of replicating your SAML apps in Preview).
You should have at least one test user assigned to each policy. Validate that each policy in Classic Engine correctly evaluates the test user, and then compare the results to the Identity Engine policy behavior.
Classic Engine policy validation tests
Validate that the Okta sign-on policy correctly evaluates the test user.
Validate that the MFA enrollment policy correctly evaluates the test user.
Validate that the app sign-on policy correctly evaluates the test user.
Validate that self-service password recovery works for the test user.
Identity Engine policy validation tests
Validate that the global session policy correctly evaluates the test user. Your Classic Engine policies migrate with two new default settings. See Okta sign-on policies.
- Validate that the authenticator enrollment policy correctly evaluates the test user. Your Classic Engine policies don't change during migration, but some authenticator behavior does. See MFA enrollment policy.
- Validate that the authentication policy correctly evaluates the test user. Your Classic Engine app sign-on policies migrate with a few conditions. See App sign-on policy migration.
- Validate that self-service password recovery works for the test user. See Password reset and account recovery.
In Identity Engine, you must use Okta Verify to secure your mobile and desktop devices. There are two validation test methods that you can perform in your Preview environment.
Validation tests for orgs that use Device Trust
If you actively use Device Trust already, follow these steps:
Turn off Device Trust for mobile devices in your Classic Engine org.
Set up Device Trust for desktop in your Classic Engine org.
Create a runbook of how to reintegrate your MDM vendor.
Create and test app sign-on policies to ensure that test users can sign in with Device Trust for desktop.
- Upgrade to Identity Engine.
- Test the corresponding authentication policies.
Validation tests for orgs that don't actively use Device Trust
If you don't currently use Device Trust for mobile or desktop, follow these steps:
Upgrade to Identity Engine.
Set up Device Trust for mobile and desktop in Identity Engine.
Test authentication policies.
See Turn off Device Trust on mobile devices and From Device Trust to Okta FastPass.
Okta SDKs and third-party tools
If you use Okta SDKs or third-party tools, ensure that they work in Identity Engine after you upgrade (in Preview). Refer to Okta Developer Documentation for Okta deployment models and SDKs and sample apps.
After you upgrade to Identity Engine in Preview, create a test user. Then, sign in as that test user and note the sign-in flow and password recovery behavior. Let your users know about the changes they'll experience in the sign-in, sign-up, and recovery flows.
They may be prompted for their username first, instead of a username and password. See Sign-In Widget.
During sign-up flows, they may be prompted for optional security methods, depending on your profile enrollment policies.
The password recovery link is only presented on the page for password entry. Users can't reset their password from the username prompt.
Their email messages may contain email message links (including the URL for email magic link). See Email templates.