The OIE upgrade is “Eligible with warning” due to the potential impact on user experience.
The telemetry detected that a custom sign-in experience that uses the AuthN API is actively in use. The upgrade can proceed. However, there is an effort to adopt the OIE functionality.
Potential Experience Impact
Level of Effort for Upgrade to Parity: High - CIAM (customer experience) has a low tolerance for any impact to the User Experience changes that are associated with the improvements of OIE. Hence, we want to be sure they investigate a bit further to understand the limited impacts during the upgrade.
The following guides help highlight the feature changes:
- General Upgrade Guidance:
- For post-upgrade adoption of new OIE capabilities:
Verify
-
Account Activation Flow [Email Templates]
-
[Admin/API/Directory Initiated]
-
fromURI in email template
-
Payload activationToken into Custom AuthN API
-
-
[Custom SDK/Management API]
-
Custom/External Email?
-
fromURI in email template
-
Payload recoveryToken into Custom AuthN API
-
-
-
Email Template modifications Activation & Recovery
-
Used to divert to the Custom Embedded application
-
-
Custom Password Recovery Flow
-
AuthN API usage
-
“Audience” param not supported
-
-
Sessions API Usage
PRE-Upgrade Modifications
-
No changes are REQUIRED prior to upgrade to Okta Identity Engine
-
The /authn API will continue to work in a "classic mode" in Identity Engine to make the upgrade transition easier
Post-Upgrade Parity (Classic Mode)
-
Discovery Dependent: Email Templates
Post-Upgrade Enhanced Experience (OIE Functionality)
-
Option 1: Shift from API to Federation Model (Okta hosted)
- Advancements in Identity Engine extensibility may deprecate the need for a customer-hosted sign-in experience.
- Option 2: Shift from API to Embedded SDK
- Option 3: Shift from API to Direct Authentication API
Good starting point to help build the understanding of Redirection vs Embedded Authentication models:
