There are certain configuration tasks you must complete before your org is eligible for self-service upgrade. Once the configurations are complete, the self-service upgrade notification appears on your Admin Dashboard and you can schedule your upgrade.
|Update event hook endpoints.
|If your org uses an event hook endpoint that depends on the phone number field, update the endpoint to handle its new location.
|Prepare Okta Mobile users for the upgrade.
|Okta Mobile isn't available after the upgrade.
|Disable Okta Mobility Management.
|Identity Engine doesn't support Okta Mobility Management.
|Turn off Device Trust for mobile devices.
|Follow the migration steps to ensure that Device Trust continues to work after the upgrade.
|Delete IWA routing rules.
|Okta IWA agent isn't supported.
|Migrate from the AWS Command Line Interface.
|Identity Engine doesn't support older AWS CLI tools. To determine if you use the AWS CLI, search for the following in your System Log (not comprehensive):
If you require CLI access, upgrade using one of the following methods:
|Use Sign-In Widget version 5.11.0 or later.
|Prepare your custom sign-in page.
|Custom sign-in pages may not work after you upgrade to Identity Engine. Prepare your deployment model for the upgrade.
|Review SDK documentation.
|If your org uses the Okta SDKs for authentication and you're planning to move to Okta FastPass, review the docs:
|Disable State Token All Flows or ignore the warning.
|State Token All Flows (STAF) isn't compatible with Identity Engine. If STAF is enabled in your Classic Engine org, you receive a warning. If you choose to not disable STAF, dismiss this warning and proceed with the upgrade.
|Build a test OIDC application.
|If you need a test app to demonstrate the end-to-end authentication experience before and after you upgrade, you can build a custom app with Okta SDKs.
|Prepare Terraform for the upgrade.
|If you use Terraform to manage one or more Okta tenants, ensure that you have the latest version of the Terraform provider and your script files are in sync.
|Skip auto-enrollment of the email authenticator.
If your org has a factor enrollment policy where email is set to optional or if your org doesn’t use MFA, you can skip auto-enrolling the email authenticators for your end users.