Eligibility tasks

There are certain configuration tasks you must complete before your org is eligible for self-service upgrade. Once the configurations are complete, the self-service upgrade notification appears on your Admin Dashboard and you can schedule your upgrade.

Task	Description
Update event hook endpoints.	If your org uses an event hook endpoint that depends on the phone number field, update the endpoint to handle its new location. Update Event hook endpoints
Prepare Okta Mobile users for the upgrade.	Okta Mobile isn't available after the upgrade. Prepare Okta Mobile users for upgrade
Disable Okta Mobility Management.	Identity Engine doesn't support Okta Mobility Management. Disable Okta Mobility Management
Turn off Device Trust for mobile devices.	Follow the migration steps to ensure that Device Trust continues to work after the upgrade. Turn off Device Trust on mobile devices
Delete IWA routing rules.	Okta IWA agent isn't supported. Delete Integrated Windows Authentication routing rules Migrate from Integrated Windows Authentication to agentless Desktop Single Sign-on
Migrate from the AWS Command Line Interface.	Identity Engine doesn't support older AWS CLI tools. To determine if you use the AWS CLI, search for the following in your System Log (not comprehensive): gimme-aws-creds saml2 aws okta-awscli If you require CLI access, upgrade using one of the following methods: Switch to the AWS IAM Identity Center before upgrading to Identity Engine. The Okta AWS SSO application is SAML-based, and the Okta AWS CLI interacts with AWS IAM using AssumeRoleWithSAML (see next item). Okta doesn't have an OIDC-based AWS federation application at this time. Use the Okta AWS CLI application post-upgrade. The okta-aws-cli Command Line Interface is native to Identity Engine. Because the CLI requires the Identity Engine policy framework, continue using the current solution until the upgrade is complete. To test workstation configuration prior to the upgrade, see Test AWS CLI on Classic Engine.
Use Sign-In Widget version 5.11.0 or later.	If you use a custom Okta-hosted sign-in page, check the Sign-in Widget version. If it's earlier than 5.11.0, upgrade to the latest version. Remove the deprecated JavaScript methods. Upgrade your widget Deprecated JavaScript methods in the widget
Review SDK documentation.	If your org uses the Okta SDKs for authentication and you're planning to move to Okta FastPass, review the docs: Okta, Inc GitHub Okta Identity Engine for Okta Developers
Disable State Token All Flows or ignore the warning.	State Token All Flows (STAF) isn't compatible with Identity Engine. If STAF is enabled in your Classic Engine org, you receive a warning. If you choose to not disable STAF, dismiss this warning and proceed with the upgrade.
Build a test OIDC application.	If you need a test app to demonstrate the end-to-end authentication experience before and after you upgrade, you can build a custom app with Okta SDKs. Sign users in to your SPA using the redirect model and Auth JS
Prepare Terraform for the upgrade.	If you use Terraform to manage one or more Okta tenants, ensure that you have the latest version of the Terraform provider and your script files are in sync. Prepare Terraform for upgrade