Review and resolve all acknowledgment and configuration action items in the Identity Engine Upgrade Hub
before scheduling your upgrade.
About this task
Before you can schedule your upgrade from Classic Engine to Identity Engine, you must complete all action items
listed in the Identity Engine Upgrade Hub. These items ensure that your org is compatible with Identity
Engine and that you understand changes that affect your environment.
Action items fall into two categories:
- Acknowledgment items
- Review a change, confirm that you understand the impact, and select a checkbox. No configuration change is
required.
- Configuration items
- Make a specific change in your org by following a remediation guide.
Before you begin
- Confirm that you have Super Admin permissions in your Okta org.
- Verify that your org is eligible for a self-service upgrade. The Self-service upgrade
notification appears on the Admin Dashboard when your org is eligible.
- Review the Self-service upgrade
process to understand the two-step upgrade sequence.
-
Sign in to the Admin Console as a Super Admin.
-
On the Admin Dashboard, click Schedule upgrade in the Self-service
upgrade to Okta Identity Engine notification.
The Identity Engine Upgrade Hub opens and displays your action items organized by
category.
-
Complete each acknowledgment item.
Acknowledgment items inform you about features or behaviors that change after the
upgrade. The following items are common, though your org may show a different set based
on your configuration.
Table 1. Common acknowledgment items
| Item |
What changes |
| Okta Mobile |
End-user experience changes after upgrade. Okta Verify replaces Okta Mobile. |
| Office 365 Custom User Agent |
MFA password behavior changes for Office 365 integrations. |
| Custom app login |
Custom app login pages work differently in Identity Engine. Available only to orgs that
previously used this feature. |
| Self-service registration |
Self-service registration moves to a profile enrollment policy model in Identity
Engine. |
| AWS Federation (AWS CLI) |
Federation flow changes may affect AWS CLI authentication. |
| Factor Enrollment Policy set to Do Not Enroll |
Policies with Do Not Enroll settings need review. Identity Engine uses
authenticator enrollment policies instead. |
-
Read the item description and linked documentation.
-
Confirm that you understand the impact to your org.
-
Select the acknowledgment checkbox.
-
Click Submit or Save.
-
Complete each configuration item.
Each configuration item links to a remediation guide. The following items are common,
though your org may show a different set based on your configuration.
Table 2. Common configuration items
| Item |
What to do |
| Agentless Desktop SSO |
Configure or migrate your agentless desktop SSO setup. |
| Integrated Windows Authentication (IWA) |
Remove IWA routing rules from your org. |
| Sign-In Widget version |
Upgrade to a supported version of the Okta Sign-In Widget. |
| Device Trust Mobile Authentication |
Disable or migrate your Device Trust mobile setup before upgrade. |
| Duo Security custom IdP |
Rename your Duo Security custom Identity Provider. |
| Email as an optional authenticator |
Review your email authenticator configuration for Identity Engine compatibility. |
| Mobile device management attestation |
Review MDM attestation settings. |
-
Click the item to open the remediation guide.
-
Follow the remediation steps.
-
Return to the Okta Identity Engine Upgrade Hub.
-
Mark the item as complete.
-
Click Check eligibility or Update
eligibility.
The system runs validation against your org configuration.
If all items pass, a confirmation indicates that your org is eligible to
schedule the upgrade. If items still show as incomplete or new blockers appear, resolve
them and run the eligibility check again.
When all action items are resolved and your org passes the eligibility check, you can schedule your upgrade
from the Identity Engine Upgrade Hub.
| Issue |
Resolution |
| An action item doesn't appear resolved after completing the steps |
Click Check eligibility to refresh the validator
status. |
| New action items appear after resolving others |
The validator may detect other items after the initial blockers are cleared. Complete the new items
and run the eligibility check again. |
| Eligibility check fails with no clear action item |
Contact Okta Support for assistance. |