Limitations

The following Classic Engine features in the Admin Console have changed or are no longer supported in Identity Engine

Are you a developer? See the Okta Identity Engine Limitations for developers.


Feature What changed?

Active Endpoint

Active endpoint (also known as Exchange ActiveSync auth or legacy auth) isn't supported.

  • Just-In-Time (JIT) user creation: Importing a user that doesn’t yet exist in Okta on-demand from an on-premise Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) directory during the authentication

  • Reactivation: Reactivating an inactive or suspended user on-demand when that user is marked as active in an on-premise AD or LDAP directory, and the org’s settings are configured to automatically reactivate users who are reactivated on premise.

  • Profile refresh: Calling the AD Agent or LDAP Agent to read the user’s latest profile attributes into Okta from the on-premise directory during the authentication.

Identity Engine end users should sign in first through the browser or a newer MSFT client.

Office 365 sign-on rules options

Admin-initiated WebAuthn enrollment

Admins can’t enroll a WebAuthn security key on behalf of the end user through the Admin Console.

Configure a FIDO2 (WebAuthn) authenticator

App condition for MFA enrollment policy

Admins can’t target MFA enrollment policies to specific applications. The MFA enrollment policy is evaluated on every sign-in to Okta, and users are prompted to enroll in required authenticators if they don’t already have those authenticators enrolled.

About MFA enrollment policies and rules

Automatically select the user's last used MFA authentication method

When end users sign in to Okta and have multiple authentication methods to select from, Okta displays all available options. Okta no longer remembers the user’s last used authentication method.

Custom login page for embedded app links

Using a custom login page for embedded app links isn't supported. Users who click an app embed link are now evaluated by their org’s Okta sign-on policy. Admins can customize an Okta-hosted sign-in page or configure an IdP routing rule for the app.

Identity Provider routing rules and Configure a custom Okta-hosted sign-in page

Custom password expiration management

The ability to display a custom message in the Sign-In Widget and a redirect URL when users' DelAuth passwords expires isn't supported.

Configure general customization settings

Custom TOTP as a factor

Using custom temporary one-time password (TOTP) as a factor to enroll or sign in isn’t supported. In addition, in Identity Engine, a "factor" is called "authenticator".

Custom User Agent

App sign-on policy rules with a Custom User Agent (as client application) won't migrate fully. The Custom User Agent is lost after migration.

Allow or deny custom clients in Office 365 sign on policy

Don't prompt me again on this device

The Don’t prompt me again on this device checkbox for MFA authenticators is no longer present. Instead, this behavior occurs when the user selects the Keep Me Signed In checkbox.

Email as an optional factor

Email as an optional factor isn't supported.

Expiry time of email links

In Classic Engine, the default expiry time of email links used for self-service password resets, self-service account unlock, and multifactor authentication was one hour, and their lifetime could be configured to last several days.

In Identity Engine, the default expiry time is five minutes, and you can select expiry times in five-minute increments up to 30 minutes.

When orgs upgrade to Identity Engine, the email link expiry settings from Classic Engine are changed to the default settings in Identity Engine.

Integrated Windows Authentication

Integrated Windows Authentication Desktop Single Sign-On isn’t supported. Orgs must use Agentless Desktop Single Sign-On instead.

Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on

Link directly to self-service password reset or unlock pages

Admins can no longer provide a URL to link users directly to self-service password reset or account unlock. Users must navigate to the sign-in page and follow the links from there.

MFA Factor sequencing

The ability for admins to construct factor chains in Okta sign-on policies isn’t supported. Instead, passwordless authentication is now supported in the app sign-on policy.

Configure Okta FastPass and Configure passwordless authentication

Okta Mobile

End users can't use Okta Mobile to access their apps. Instead, users can access their apps from the Okta End-User Dashboard in a mobile browser.

Okta Mobility Management

Okta Mobility Management isn't supported.

Pass Claim for MFA

Org-level MFA requirements don’t meet the Identity Engine requirement to pass a claim for MFA. Customers need to set up app sign-on rules for MFA.

Use Okta MFA to satisfy Azure AD MFA requirements for Office 365

Pass Claim for MFA Infinite Loop

Pass claim for MFA requires true MFA (one knowledge factor plus one possession factor). If users get stuck in an infinite loop because they don’t complete MFA during the SSO flow, they need to refresh and try to sign in with a different browser. Admins should review their app sign-on policy to ensure that MFA-related rule is properly set.

Use Okta MFA to satisfy Azure AD MFA requirements for Office 365

Password policies may override MFA enrollment policy settings

If admins have set a password policy that allows users to perform self-service recovery with email, phone, or security question authentications, Okta prompts users to enroll in these additional authenticators when they first sign in. Users are prompted to enroll even if these authenticators are disabled in the MFA enrollment policy. Email and security question authenticators are required if they are configured in the password policy rules for recovery. Phone is optional.

About MFA enrollment policies and rules

Personal Identity Verification

Personal Identity Verification (Smart Cards) isn't supported.

Phone rollback behavior

If Phone is enrolled as an Authenticator and admins roll back to the classic engine, both SMS and Voice will be available for authentication.

RADIUS Legacy Model

The RADIUS Legacy Model isn't supported.

RADIUS Legacy Model

Registration hooks

In the Admin Console, the enablement of a Registration Inline Hook has changed from the former Self-Service Registration page (Self-service Directory > Self-Service Registration) to the Profile Enrollment Rules page (Security > Profile Enrollment). The creation of the Registration Inline Hook remains the same and can be completed in the Admin Console or by Inline Hook Management APIs.

Existing Registration Inline Hooks may experience compatibility issues after migrating to Identity Engine due to changes in the Okta Registration Inline Hook request. Your application may require code updates to properly consume the new request format.

Manage Profile Enrollment policies

Remember Me

The Remember Me checkbox has been replaced with a check box that allows the user to remain signed in.

General Security

Security Image

The ability for end users to specify a security image when they first register for an account isn’t supported with Identity Engine. Additionally, existing users who may have already registered a security image, won’t see that image when they sign in.

Security Questions

Answers to security questions must have at least 4 characters. Currently, admins can no longer set the minimum length of answers. However, if your org was migrated from Okta Classic Engine with a minimum answer length set at less than 4 characters, that minimum is applied after the upgrade.

Self-Service Registration

The Self-Service Registration feature is not available. Self-service registration is now accomplished through a profile enrollment policy. In a profile enrollment policy, admins select the attributes they want to collect when a new end user clicks Sign up. By the time the end user has authenticated into the app, their profile is complete and they’ve been provisioned to the appropriate groups.

Manage Profile Enrollment policies

Sign out of Okta O365

Sign out of Okta O365 isn't supported. There is no work around. Okta’s long-term solution is to have Single Logout capability across OpenID Connect, SAML, and WS-Fed. This feature has very low adoption.

Suspicious Activity Report

The Suspicious Asctivity Report isn't available in Identity Engine.

Symantec VIP as an authenticator

Using Symantec VIP as an authenticator to enroll or sign in isn’t supported.