Eligibility tasks

There are certain configuration tasks that you must complete before your org is eligible for self-service upgrade. After the configurations are complete, the self-service upgrade notification appears on your Admin Dashboard and you can schedule your upgrade.

Task	Description
Update event hook endpoints.	If your org uses an event hook endpoint that depends on the phone number field, update the endpoint to handle its new location. Update Event hook endpoints
Prepare Okta Mobile users for the upgrade.	Okta Mobile isn't available after the upgrade. Prepare Okta Mobile users for upgrade
Turn off Device Trust for mobile devices. This doesn't apply to Classic Engine orgs using Workspace ONE SAML-based mobile device trust. These orgs can upgrade to Identity Engine and use Workspace ONE to evaluate device posture. See Replace Workspace ONE SAML-based mobile device trust with Okta FastPass.	Follow the migration steps to ensure that Device Trust continues to work after the upgrade. Turn off Device Trust on mobile devices.
Delete IWA routing rules.	Okta IWA agent isn't supported. Delete Integrated Windows Authentication routing rules Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on
Migrate from the AWS Command Line Interface.	Identity Engine doesn't support older AWS CLI tools. To determine if you use the AWS CLI, search for the following in your System Log (not comprehensive): gimme-aws-creds saml2 aws okta-awscli If you require CLI access, upgrade using one of the following methods: Switch to the AWS IAM Identity Center before upgrading to Identity Engine. The Okta AWS SSO app is SAML-based, and the Okta AWS CLI interacts with AWS IAM using AssumeRoleWithSAML (see next item). Okta doesn't currently have an OIDC-based AWS federation app. Use the Okta AWS CLI application post-upgrade. The okta-aws-cli Command Line Interface is native to Identity Engine. Because the CLI requires the Identity Engine policy framework, continue using the current solution until the upgrade is complete. To test workstation configuration prior to the upgrade, see Test AWS CLI on Classic Engine.
Use Sign-In Widget version 5.11.0 or later.	If you use a custom Okta-hosted sign-in page, check the Sign-in Widget version. If it's earlier than 5.11.0, upgrade to the latest version. Remove the deprecated JavaScript methods. Upgrade your widget Deprecated JavaScript methods in the widget
Prepare your custom sign-in page.	Custom sign-in pages may not work after you upgrade to Identity Engine. Prepare your deployment model for the upgrade. Prepare your customizations for upgrade
Review SDK documentation.	If your org uses the Okta SDKs for authentication and you're planning to move to Okta FastPass, review the docs: Okta, Inc GitHub Okta Identity Engine for Okta Developers
Disable State Token All Flows or ignore the warning.	State Token All Flows (STAF) isn't compatible with Identity Engine. If STAF is enabled in your Classic Engine org, you receive a warning. If you choose to not disable STAF, dismiss this warning and proceed with the upgrade.
Build a test OIDC app.	If you need a test app to demonstrate the end-to-end authentication experience before and after you upgrade, you can build a custom app with Okta SDKs. Sign users in to your SPA using the redirect model and Auth JS
Prepare Terraform for the upgrade.	If you use Terraform to manage one or more Okta tenants, ensure that you have the latest version of the Terraform provider and your script files are in sync. Prepare Terraform for upgrade
Skip auto-enrollment of the email authenticator.	If your org has a factor enrollment policy where email is set to optional or if your org doesn't use MFA, you can skip auto-enrolling the email authenticators for your end users. Skip auto-enrolling email authenticator