This article provides answers to frequently asked questions regarding the Enhanced Disaster Recovery Self-Service feature.
- Enhanced Disaster Recovery (EDR)
Enhanced DR is designed to remediate issues where the underlying cloud service provider’s infrastructure experiences compute, storage, or networking problems that impact core Okta services. Symptoms may include elevated authentication failure rates, increased latency, or HTTP error codes (e.g., 500), login page inaccessible, etc.
Enhanced Disaster Recovery does NOT provide protection against:
-
Request floods, including DoS or DDoS attacks.
-
Issues with ISV vendors and application connections.
-
Code-related issues that are affecting Okta services.
-
Bad actors deleting or modifying data.
-
Unintended configuration mistakes caused by Customer Admins or incorrectly applying Okta configurations.
Enhanced Disaster Recovery Self-Service FAQ
|
Question |
Answer | |
|
1 |
Who is eligible to use Enhanced DR Self-Service? |
Only customers who have purchased the Enhanced Disaster Recovery add-on can use the Self-Service feature. |
|
2 |
How do I set up the Self-Service feature? |
While in Early Access (EA), Enhanced DR customers must enable the EA feature flag for Enhanced DR Self-Service through Settings > Features in the Admin Console. This step must be repeated for every Production organization requiring Self-Service. Once enabled, an Okta Disaster Recovery Admin application will be added to the end-user dashboard for all Super Admins for that organization. Once Generally Available (GA), Enhanced DR Self-Service will be automatically enabled for all protected production organizations.
|
|
3 |
Who can initiate a failover and failback? |
By default, Super Admins have permission to failover and failback an org. A custom role can also be created to assign additional users that may need failover and failback permissions, but not Super Admin permissions. |
|
4 |
Can I use Self-Service to test failover and failback? |
Yes. Customers do not need to coordinate with Okta to test the failover and failback of their Okta organization(s). |
|
4 |
What authenticators are supported by the Disaster Recovery Admin app? |
Only the following authenticators are supported:
NOTE: In order for Okta Verify to work correctly, you must be running Okta Verify 9.57 for iOS and MacOS, 8.20 for Android, and 6.7 for Windows. |
|
5 |
If I use Self-Service to failover, will Okta fail me back to the primary region once the incident is resolved? |
No. Okta may not always know the reason for the customer-initiated failover. The customer is responsible for the failback if Self-Service is used. |
|
6 |
I’m using WebAuthn Passkeys as an authenticator. Can I use my existing keys to log in to the Okta Disaster Recovery Admin app? |
Please create a custom Relying Party ID in Security > Authenticators and set it to your subdomain <subdomain>.okta.com. For more information, refer to WebAuthn authenticator product documentation. |
|
7 |
How does Self-Service work with orgs using Org2Org? |
Customers must create a user with the correct permissions for each org that Enhanced DR is enabled for. Federated login from the hub breaks phasing-resistant MFA due to SAML request/response mismatches. Additionally, the hub org may be unavailable during an actual outage, preventing federated access to the spoke org's Okta Disaster Recovery Admin application. |
