Set up your test environment
Create a test environment to validate your Identity Engine upgrade before upgrading production. Use a Preview org, free trial, or automation tools.
Before upgrading your Production org from Classic Engine to Identity Engine, set up a test environment where you can rehearse the upgrade safely. This lets you identify issues, validate configurations, and confirm that user flows work correctly without risk to production.
Why you need a test environment
- Validate that your current policies, sign-in flows, MFA, and app integrations work after upgrade.
- Identify breaking changes in custom code, embedded Sign-In Widget, or API use.
- Test remediation steps before applying them to production.
- Confirm that the end-user experience meets expectations.
- Build confidence before scheduling the production upgrade.
Test environment approaches
| Approach | Best for | Limitations |
|---|---|---|
| Preview org (recommended) | Full dress rehearsal of the upgrade process | Requires an existing Preview org or purchasing one. It must mirror the production config. |
| Free trial or Integrator Free Plan org | App and developer testing (Sign-In Widget, SDKs, API flows) | Not a true migration rehearsal. It doesn't test the upgrade process itself. |
| Terraform or automation-based copy | Repeatable, large-scale org replication | Requires Terraform expertise. Okta doesn't fully document this process. |
| Manual org creation | Simple configurations and small orgs | Time-consuming. Difficult to keep in sync with production. |
- Preview org (recommended)
-
A Preview org is the closest match to a production upgrade rehearsal. You upgrade the Preview org first, using the same self-service upgrade process, then validate the results.
- The Preview org should match your production configuration as closely as possible.
- You can use Bookmark Apps instead of replicating every SAML app in Preview.
- If you don't have a Preview org, contact Okta to purchase one.
- Free trial or Integrator Free Plan org
-
Use this as a secondary sandbox for testing app code, Sign-In Widget behavior, and SDK flows against an Identity Engine environment. This is useful for developer testing, but doesn't replicate the upgrade process.
- Terraform or automation-based approach
-
- Export your Production org configuration using the Okta Terraform provider.
- Import it into a new Classic Engine org.
- Apply the upgrade preparation changes.
- Upgrade the test org.
- Validate.
- Repeat as needed.
What to bring into your test environment
| Category | What to replicate | Notes |
|---|---|---|
| Policies | Global session policies, MFA enrollment policies, app sign-on policies | Create at least one test user per policy path. |
| Sign-In Widget | Custom branding, CSS, JavaScript customizations | Critical if using an embedded widget |
| Custom domains | Custom URLs, Trusted Origins, CORS settings | Needed for custom sign-in page testing |
| Apps | High-risk apps (SAML, OIDC, SCIM, embedded auth) | Use Bookmark Apps for low-risk SAML apps. |
| Authentication code | Embedded Sign-In Widget, AuthJS, server-side auth code | Search Trusted Origins and System Log for /api/v1/authn,
/api/v1/sessions, and /api/v1/factors. |
| Device Trust | Okta Verify, managed certificates, IWA routing rules | Delete IWA routing rules before the upgrade. |
| Third-party tools | AWS CLI, Jamf Connect, Snowflake, or other integrations | Legacy tools that use Classic auth methods may break. |
Steps to set up and test
-
Inventory your Production org
Use the Identity Engine Upgrade Hub in the Admin Console to identify action items, customizations, and testing needs.
-
Create test users
Create at least one test user per policy path. Record how the following behave in Classic Engine:
- Okta sign-on policies
- MFA enrollment policies
- App sign-in policies
- Password recovery flows
See Validation tests.
-
Mirror high-risk configuration into your test environment
- Global session policies
- MFA and enrollment policies
- App sign-in policies
- Custom domains and branding
- Embedded Sign-In Widget apps
- Device Trust configuration
- SCIM apps
- Apps using Okta APIs or SDKs
-
Find the custom or embedded authentication code
Search Trusted Origins/CORS and System Log for:
/api/v1/authn/api/v1/sessions/api/v1/factors
-
Upgrade the test environment
In your Preview org, run the self-service upgrade:
- Complete all action items in the Upgrade Hub.
- Follow remediation guides.
- Schedule the upgrade.
- Test the upgraded org.
Most upgrades take only a few minutes.
See the Self-service upgrade process.
-
Run your tests after upgrade
- Global session policy behavior
- Authenticator enrollment
- App sign-in policies
- Password recovery
- Device Trust and Okta FastPass
- Self-Service Registration and Profile Enrollment
- SDKs and third-party tools
- End-user sign-in experience
See Test your upgrade.
-
Test app code in an Identity Engine sandbox
This step is especially important for embedded Sign-In Widget and SDK use cases. Embedded deployments need the Interaction Code flow in Identity Engine. Sign-In Widget v7+ enables Identity Engine by default.
Repeatable testing practices
- Document every configuration change you make in the test environment.
- Use Terraform or scripts to automate org provisioning where possible.
- Maintain a checklist of test scenarios that you run before and after upgrade.
- Keep test users and policy paths consistent across test runs.
- Store results so you can compare across iterations.
High-risk areas to test
Focus on areas where Identity Engine changes authentication behavior:
| Area | Why it matters |
|---|---|
| Sign-In Widget | Identity Engine changes the Sign-In Widget configuration and removes some Classic options. |
| Custom domain / custom login page | Classic custom sign-in pages may not work after upgrade. |
Embedded auth / AuthJS / /authn API |
The Classic Engine /authn API doesn't work with Identity Engine. |
| Device Trust | Identity Engine uses Okta Verify and managed certificates. Delete IWA routing rules. |
| Third-party tools (AWS CLI, Jamf Connect) | Older tools using Classic Engine auth methods may break. |
| End-user sign-in flow | Identity Engine may introduce identifier-first flows and different recovery behavior. |
After the upgrade
After the production upgrade, validate specific features and avoid unrelated setting changes for at least one week. See Post-upgrade checklist.