In preparation for upgrading to the Okta Identity Engine (OIE), it is necessary to establish specific configurations that will facilitate a successful transition and ensure that the organization can take advantage of the latest Identity Engine features.

This article discusses the scenario where the Okta Verify One Time Password (OTP) has been disabled while the Okta Verify Push is enabled. Okta Identity Engine (OIE) does not support this configuration, which may cause issues during the upgrade process. A warning message will be displayed in the Okta Admin Console.

 

• Okta Classic Engine
• Enrollment Policies
• Okta Verify
• Multi-Factor Authentication (MFA)

In this scenario, Okta Verify OTP has been disabled while Okta Verify Push is enabled. This configuration is not supported by OIE and may cause issues during the upgrade process.

 

The administrator modified this via API calls since it cannot be done through the user interface. This was done using the PUT call {{url}}/api/v1/policies/{{policyId}}/ using this body example:

{
"type": "MFA_ENROLL",
"id": "00p3tlpt14RvdU9Kw697",
"status": "ACTIVE",
"name": "Default Policy",
"description": "The default policy applies in all situations if no other policy applies.",
"priority": 7,
"system": false,
"conditions": {
"people": {
"groups": {
"include": [
"00g15l91ziQyWeQMW697"
]
}
}
},
"settings": {
"factors": {
"okta_otp": {
"enroll": {
"self": "NOT_ALLOWED"
},
"consent": {
"type": "NONE"
}
}
}
}
}

Running GET to {{url}}/api/v1/policies?type=MFA_ENROLL will give this output:

{
"id": "00p1f7r40lzYo94SU0h8",
"status": "ACTIVE",
"name": "Default Policy",
"description": "The default policy applies in all situations if no other policy applies.",
"priority": 5,
"system": true,
"conditions": {
"people": {
"groups": {
"include": [
"00g20t949fAHQFFSTZJN"
]
}
}
},
"created": "2018-01-07T18:51:57.000Z",
"lastUpdated": "2022-09-14T14:43:39.000Z",
"settings": {
"factors": {
"okta_otp": {
"enroll": {
"self": "NOT_ALLOWED"
},
"consent": {
"type": "NONE"
}
},
"okta_push": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
},
"google_otp": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
},
"duo": {
"enroll": {
"self": "REQUIRED"
},
"consent": {
"type": "NONE"
}
},
"okta_password": {
"enroll": {
"self": "OPTIONAL"
},
"consent": {
"type": "NONE"
}
}
}
}

This can be seen now: "okta_otp": {"enroll": {"self": "NOT_ALLOWED"} while "okta_push": {"enroll": {"self": "OPTIONAL"}. The configuration shows that enrollment for Okta Verify OTP has been disabled, while the option for Okta Verify Push remains.

In the past, there was an issue that has since been fixed. Previously, it was possible to alter either the Okta Verify OTP or Okta Verify Push independently. Currently, modifying either the Okta Verify OTP or Okta Verify Push alone is not possible, as changes made to one will affect the other simultaneously. This was blocking the automatic upgrade to Okta Identity Engine.

To fix the problem, the administrator needs to modify the status of Okta Verify once within the enrollment policy via the user interface. This action will reset any changes previously made using the API call. Afterward, the status can be reverted to its original state (for instance, if the current status is OPTIONAL, change it to REQUIRED, click on Update Policy, and then change it back to OPTIONAL).

 

Once the problem has been resolved, the Okta Admin Console should exhibit this message if there is a planned upgrade to Okta Identity Engine: