Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates OIE Upgrade docs 2022.08.11 #371

Merged
merged 1 commit into from
Aug 11, 2022
+694 −435
Merged

Updates OIE Upgrade docs 2022.08.11 #371

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Updates OIE Upgrade docs 2022.08.11 
Resolves OKTA-523465
@IanHakes-okta
IanHakes-okta committed Aug 11, 2022
commit 46065d3b368066b7df75a63fffb24b7c4e2a09f8
Binary file modified ...ograms/oie/Content/Resources/Images/siw-authenticator-classic_thumb_220_220.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified en/programs/oie/Content/Resources/Images/siw-classic_thumb_220_220.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified ...grams/oie/Content/Resources/Images/siw-reset-password-classic_thumb_220_220.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified ...oie/Content/Resources/Images/siw-select-authenticator-classic_thumb_220_220.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 6 additions & 6 deletions en/programs/oie/Content/Topics/identity-engine-upgrade/dt-upgrade-considerations.htm
View file
Original file line number Diff line number Diff line change
@@ -309,9 +309,9 @@ <h1>Device Trust upgrade considerations</h1>
<p>Be aware of the following before you upgrade to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span>:</p>
<h3>Upgrade to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> when Push and TOTP are already enabled in your <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> org</h3>
<ul>
<li><b>Users continue to be enrolled in Push and Temporary One Time Password (TOTP) factor</b>: End users already enrolled in Push and TOTP factors before you upgrade continue to be enrolled in those factors after upgrade. On mobile devices, <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> with Push enrollments don't work in <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> if the <b>Hardware protected</b> constraint is enabled in the app sign-on policy (see <a href="https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/known-issues.htm" target="_blank" title="Device Trust on Identity Engine known issues" alt="https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/known-issues.htm">Device Trust on Identity Engine known issues</a>). Also, end users may see additional settings in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>.</li>
<li><b>Device enrollment in Okta Universal Directory</b>: In an <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> org, when a user enrolls in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>, Okta creates a device record in the Okta Universal Directory, which binds the user to the device and <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> app instance. The device is now registered. Registered devices appear in the Okta <span class="mc-variable okta-feature-names.Administrator_dashboard variable">Admin Console</span> under <b>Directory</b> &gt; <b>Devices</b>. Users may need to register their device when trying to access an app configured to require devices to be registered. </li>
<li><b>Users can enroll multiple devices in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span></b>: Unlike the one-device per-user limitation in <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span>, end users in <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> orgs can enroll more than one device in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>. When end users add a new account in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> on an additional device(s), they are:</li>
<li>Users continue to be enrolled in Push and Temporary One Time Password (TOTP) factor: End users already enrolled in Push and TOTP factors before you upgrade continue to be enrolled in those factors after upgrade. On mobile devices, <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> with Push enrollments don't work in <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> if the <span class="uicontrol">Hardware protected</span> constraint is enabled in the app sign-on policy (see <a href="https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/known-issues.htm" target="_blank" title="Device Trust on Identity Engine known issues" alt="https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/known-issues.htm">Device Trust on Identity Engine known issues</a>). Also, end users may see additional settings in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>.</li>
<li>Device enrollment in Okta Universal Directory: In an <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> org, when a user enrolls in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>, Okta creates a device record in the Okta Universal Directory, which binds the user to the device and <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> app instance. The device is now registered. Registered devices appear in the Okta <span class="mc-variable okta-feature-names.Administrator_dashboard variable">Admin Console</span> under <span class="uicontrol">Directory</span> &gt; <span class="uicontrol">Devices</span>. Users may need to register their device when trying to access an app configured to require devices to be registered. </li>
<li>Users can enroll multiple devices in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>: Unlike the one-device per-user limitation in <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span>, end users in <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> orgs can enroll more than one device in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span>. When end users add a new account in <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> on an additional device(s), they are:</li>
<ul>
<li>Automatically enrolled in Push and TOTP factors on the new device.</li>
<li>Okta registers the device by creating a device record in Okta Universal Directory that binds the user to the device+<span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> app instance.</li>
@@ -321,19 +321,19 @@ <h3>Upgrade to <span class="mc-variable okta-feature-names.Identity_Engine varia
<ul>
<li>The account continues to work as before.</li>
<li> Once upgraded to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span>, the user can't add another <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> account in the same Okta org.</li>
<li>A <b>Set up</b> button appears in the <b>This device</b> authentication method in the app's Account Details. The button allows the user to enable their Okta Verify account to use their device as an authenticator (a <b>Way to sign in</b>). If the user clicks <b>Set up</b> in their other account, an error appears and the method is not enabled in that account.</li>
<li>A <span class="uicontrol">Set up</span> button appears in the <span class="uicontrol">This device</span> authentication method in the app's Account Details. The button allows the user to enable their Okta Verify account to use their device as an authenticator (a <span class="uicontrol">Way to sign in</span>). If the user clicks <span class="uicontrol">Set up</span> in their other account, an error appears and the method is not enabled in that account.</li>
</ul>
<h3>Upgrade to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> when a user has multiple <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> accounts in a single org</h3>
<div>
<p><span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> orgs don't support adding more than one <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> account per org. But in an upgrade scenario from <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> in which users created more than one <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> account while in the <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> org, the following expected behavior is enforced:</p>
<p>Given a user in an Okta Classic org with two <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> accounts for that org and then the org is upgraded to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span>:</p>
<ul>
<li>Both accounts continue to work as before. </li>
<li>In both accounts, a <b>Set up</b> button appears in the <b>This device</b> authentication method in the app's Account Details. The button allows the user to enable <u>one</u> of the Okta Verify accounts created in <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> to use their device as an authenticator (a <b>Way to sign in</b>). If, after updating one such account, the user clicks <b>Set up</b> to enable the method in their other account, an error appears and the method is not enabled in that account. This is expected behavior.</li>
<li>In both accounts, a <span class="uicontrol">Set up</span> button appears in the <span class="uicontrol">This device</span> authentication method in the app's Account Details. The button allows the user to enable one of the Okta Verify accounts created in <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> to use their device as an authenticator (a <span class="uicontrol">Way to sign in</span>). If, after updating one such account, the user clicks <span class="uicontrol">Set up</span> to enable the method in their other account, an error appears and the method is not enabled in that account. This is expected behavior.</li>
</ul>
</div>
<h3>Revert back to <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> from <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span></h3>
<p>If you ask your Okta account team to revert your org back to <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span>, push and TOTP will continue to be enabled for your org by default whether or not these factors were enabled for your <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> org before you upgraded to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> If this not desirable, deactivate <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> in your org. Go to <b>Security</b> &gt; <b>Multifactor</b> &gt; <b>Factor Types</b>, select <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> and then select <b>Deactivate</b>.</p>
<p>If you ask your Okta account team to revert your org back to <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span>, push and TOTP will continue to be enabled for your org by default whether or not these factors were enabled for your <span class="mc-variable okta-feature-names.Classic_Engine variable">Classic Engine</span> org before you upgraded to <span class="mc-variable okta-feature-names.Identity_Engine variable">Identity Engine</span> If this not desirable, deactivate <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> in your org. Go to <span class="uicontrol">Security</span> &gt; <span class="uicontrol">Multifactor</span> &gt; <span class="uicontrol">Factor Types</span>, select <span class="mc-variable okta-feature-names.Okta_Verify variable">Okta Verify</span> and then select <span class="uicontrol">Deactivate</span>.</p>
<h2>Related topics</h2>
<p><a href="migrate-from-dt-to-fp.htm" class="MCXref xref">Migrate Device Trust to Okta FastPass</a>
</p>
Loading