Four best practices for adopting Okta Identity Engine

There’s never been a better time to upgrade to Okta Identity Engine (OIE). The self-service upgrade process has matured and helps ensure your org's upgrade will be successful. In fact, most upgrades take only a few minutes to complete.

Already on OIE? Skip ahead to No. 3  “Leverage OIE” to learn how you can strengthen your security posture.

Why upgrade to OIE?

OIE is a free platform upgrade that gives you the most options when it comes to accessing the latest innovations in Identity. OIE offers a new policy framework, enhanced security, and an improved user experience. Typical use cases for OIE include passwordless solutions, advanced device context, and supporting Zero Trust initiatives. Furthermore, OIE unlocks brand new capabilities like Okta Desktop Access, passwordless access to privileged accounts, and Okta AI. 

We’re here to set you up for success. With that in mind, let’s jump into four best practices for upgrading to OIE. 

1. Be prepared and have a plan 

Okta has a wealth of information out there about the OIE upgrade process. Make sure you’ve digested it. A great place to start is this "De-Mystifying the Upgrade” webinar — it’s full of tips and insights on what to expect with the upgrade process. Review the feature changes and read through the upgrade FAQ.  

Next, create a plan for change management. You’ll want to inform your end users when the upgrade is occurring, what changes to expect, and where to report issues after the change window closes. Okta has a Launch Kit for Okta Admins to help with this process. It contains templates and resources you can use to communicate Okta updates to your team. Check it out! 

2. Upgrade and test in Preview first

Now, we test. It might go without saying, but you’ll want to test everything in Okta Preview first. Ensure that your preview org has the same configuration as your production org so you can work through the upgrade process step-by-step for a realistic idea of what it will look like in your production org. 

As you prepare to upgrade in Okta Preview, record your experience in Classic; after the upgrade, verify that the experience with OIE is the same. (Check out this Upgrade Test Matrix for a comprehensive spreadsheet to track your results.) Once you’ve tested all use cases in Okta Preview and confirmed the experience in OIE, you’re ready to shift your attention to production. 

(Note: If you have already upgraded your preview org, feel free to reach out to your account team to see if they can provision a new Okta Preview org for you to perform a test upgrade. )  

One important thing to call out here is that we don’t recommend making policy changes before or immediately after the upgrade. The goal of this process is to upgrade your org from Classic to OIE with no downtime and minimal impact on your users. Let the upgrade handle the policy migration to OIE and then test the upgrade in Identity Engine. 

Once you’re satisfied that everything works as expected, you can start playing with the shiny new features.  

3. Leverage OIE to strengthen your security posture

Once you’ve let things settle down after the upgrade, it’s a great time to reevaluate your security posture. In OIE, app sign-on policies are now called authentication policies. Every app has one, but now you can share one policy across multiple apps.

Policies are evaluated by the following rule criteria:

  • Identity context (group membership)
  • Device context (whether a device is known, registered, or managed)
  • Device posture (the health of the device)
  • Network context (the network origin of the request)
  • Patterns of previous user behavior

In OIE, authentication policies are even more powerful and flexible, allowing you to fine-tune authentication requirements according to the resource's sensitivity. (During the upgrade, if your org has per-app policies or is using the default policies, Okta will merge the policies for you.)

Spend some time putting your org’s applications into groups based on assurance levels: low, medium, and high. (You can find more details on assurance levels here and the NIST official requirements here.) You may want to include your risk and compliance teams to help determine the levels. Each group can share an authentication policy, or you can take these groups and build a more fine-grained experience.

Read an illustrative example of implementing authentication policies that balance user convenience and security here: Setting the Right Levels of Assurance for Zero Trust

4. Explore new OIE features 

Now for the fun stuff! OIE is packed with powerful new features: the previously discussed shareable and flexible app policies, deeper device context, new recovery flows, and FastPass.

FastPass has been a game changer for many businesses. Phishing-resistant, passwordless authentication provides the balance we’re always trying to establish in Identity and Access Management: a seamless user experience with just the right level of security.

The “Going Password-less in OIE” webinar provides more details on FastPass, and OIE’s new authentication policy flexibility.

FastPass is even more powerful and seamless when combined with OIE’s device enhancements. It starts evaluating the moment a user first logs in and continues silently monitoring every time a user opens a new application, providing assurance that the device hasn’t changed before allowing access to downstream applications.

Check out the “Deep Dive on Devices” webinar for more details on OIE’s enhanced device capabilities.

How Okta Identity Engine can work for you 

How could Okta Identity Engine improve your business? It helps increase productivity, for one thing. But it also provides an improved user experience and a boost in security. Best of all? These new features are currently available to your Okta org at no additional cost. Get started today.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at