Complete self-service action items

Review and resolve all acknowledgment and configuration action items in the Identity Engine Upgrade Hub before scheduling your upgrade.

About this task

Before you can schedule your upgrade from Classic Engine to Identity Engine, you must complete all action items listed in the Identity Engine Upgrade Hub. These items ensure that your org is compatible with Identity Engine and that you understand changes that affect your environment.

Action items fall into two categories:

Acknowledgment items
Review a change, confirm that you understand the impact, and select a checkbox. No configuration change is required.
Configuration items
Make a specific change in your org by following a remediation guide.

Before you begin

  • Confirm that you have Super Admin permissions in your Okta org.
  • Verify that your org is eligible for a self-service upgrade. The Self-service upgrade notification appears on the Admin Dashboard when your org is eligible.
  • Review the Self-service upgrade process to understand the two-step upgrade sequence.
  1. Sign in to the Admin Console as a Super Admin.
  2. On the Admin Dashboard, click Schedule upgrade in the Self-service upgrade to Okta Identity Engine notification.
    The Identity Engine Upgrade Hub opens and displays your action items organized by category.
  3. Complete each acknowledgment item.

    Acknowledgment items inform you about features or behaviors that change after the upgrade. The following items are common, though your org may show a different set based on your configuration.

    Table 1. Common acknowledgment items
    Item What changes
    Okta Mobile End-user experience changes after upgrade. Okta Verify replaces Okta Mobile.
    Office 365 Custom User Agent MFA password behavior changes for Office 365 integrations.
    Custom app login Custom app login pages work differently in Identity Engine. Available only to orgs that previously used this feature.
    Self-service registration Self-service registration moves to a profile enrollment policy model in Identity Engine.
    AWS Federation (AWS CLI) Federation flow changes may affect AWS CLI authentication.
    Factor Enrollment Policy set to Do Not Enroll Policies with Do Not Enroll settings need review. Identity Engine uses authenticator enrollment policies instead.
    1. Read the item description and linked documentation.
    2. Confirm that you understand the impact to your org.
    3. Select the acknowledgment checkbox.
    4. Click Submit or Save.
  4. Complete each configuration item.

    Each configuration item links to a remediation guide. The following items are common, though your org may show a different set based on your configuration.

    Table 2. Common configuration items
    Item What to do
    Agentless Desktop SSO Configure or migrate your agentless desktop SSO setup.
    Integrated Windows Authentication (IWA) Remove IWA routing rules from your org.
    Sign-In Widget version Upgrade to a supported version of the Okta Sign-In Widget.
    Device Trust Mobile Authentication Disable or migrate your Device Trust mobile setup before upgrade.
    Duo Security custom IdP Rename your Duo Security custom Identity Provider.
    Email as an optional authenticator Review your email authenticator configuration for Identity Engine compatibility.
    Mobile device management attestation Review MDM attestation settings.
    1. Click the item to open the remediation guide.
    2. Follow the remediation steps.
    3. Return to the Okta Identity Engine Upgrade Hub.
    4. Mark the item as complete.
  5. Click Check eligibility or Update eligibility.

    The system runs validation against your org configuration.

    If all items pass, a confirmation indicates that your org is eligible to schedule the upgrade. If items still show as incomplete or new blockers appear, resolve them and run the eligibility check again.

When all action items are resolved and your org passes the eligibility check, you can schedule your upgrade from the Identity Engine Upgrade Hub.

Issue Resolution
An action item doesn't appear resolved after completing the steps Click Check eligibility to refresh the validator status.
New action items appear after resolving others The validator may detect other items after the initial blockers are cleared. Complete the new items and run the eligibility check again.
Eligibility check fails with no clear action item Contact Okta Support for assistance.