User16370330549592969269 (Customer Support Online Experience) asked a question.
Interested in upgrading to Okta Identity Engine (OIE), but have questions about the process? How will my users be impacted? What is this config change requirement? What am I consenting to? Perhaps you’re already on OIE, but have questions about new features/functionality. What strategy should I employ to roll out FastPass? What are the security and user experience benefits?
No matter your questions, we have answers! Bring your questions and join a panel of OIE experts on Wednesday, November 15, at 12 p.m. for a special live virtual OIE Meetup session dedicated entirely to audience questions.
Get a head start by submitting your questions in advance by replying to this discussion thread using the ‘Answer’ button. And register for the live session here:
https://okta.zoom.us/webinar/register/4116972178952/WN_38ACpNrgRXKgPU3JqyRS0Q
Can’t make the live virtual meet-up on November 15? We’ve got you covered! You can still submit questions. Then, our panel of OIE product experts will provide written comprehensive answers no later than November 17 at 5 p.m. EST.
Hi Leila,
My feature request in ideas.Hope can on the roadmap ASAP. I find the time is too eary for my timezone, I can' join the meeting.
https://ideas.okta.com/app/#/case/150220
https://ideas.okta.com/app/#/case/171649
https://ideas.okta.com/app/#/case/182135
https://ideas.okta.com/app/#/case/183461
https://ideas.okta.com/app/#/case/183464
https://ideas.okta.com/app/#/case/190233
https://ideas.okta.com/app/#/case/105813
Hi @a0n5s (a0n5s) Thank you for bubbling these back up. The feature requests that are in the 'Product Review' status mean that it has hit the right level of engagement we're looking for; therefore, have been moved to Product. I will follow up with the assigned Product team member on what the status is and ask them to provide you with an update.
The Ideas that you shared that are in the 'awaiting feedback' status means that it is open for voting. Votes are an important signal to our team about the demand for a feature or enhancement, and we consider them when building our roadmap. We encourage you to search for your request within Okta Ideas as your fellow community peers may have already submitted a similar idea. We will be removing duplicate requests.
Does Okta have a tenant security hardening document based on CIS security or something similar?
Few Questions:
The Okta documentation is a bit confusing
The below doc calls out that SSO extension might fail if Okta hasn't been configured as a Certificate Authority with dynamic SCEP.
https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/config-credential-sso-ext-macos.htm
The below doc calls out If you're using Workspace ONE, use static SCEP. Workspace ONE has known issues with dynamic SCEP. (I know this is a windows doc but not sure if this Workspace ONE issue applies for Mac too)
https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-win-ws1.htm
So does this indirectly mean I cannot do MAC SSO Extension if I have WS1?
Scenario: Okta Classic, Microsoft 365 WS-Fed with Okta, Windows Hello for Business (WHFB) configured in accordance with published Okta best practices: Use Okta MFA for Azure Active Directory | Okta
During OIE pre-flight eligibility checks, we received the following Action Item:
Office 365 Pass Claim for MFA is enabled
Once upgraded to Okta Identity Engine, Authentication Policy rules must be configured for MFA in order to satisfy the requirement for passing this claim to Azure AD.
When researching this item, the Okta documentation previously called this a "limitation" of the Classic Engine but has since reworded that language to the following:
[In Okta Classic]...the MFA prompt from the Okta Sign On Policy alone would satisfy the requirement for the MFA claim to be sent to Microsoft. In OIE that is not possible anymore. All the Authentication Policy rules that allow access must have MFA required in order for this claim to be sent.
What does this exactly mean?
Reading it at face value, it states the Classic Engine fulfills the Azure AD MFA requirement, without ever prompting the user. And since this cannot happen in OIE, the user must complete the MFA request. Will users receive a step-up authentication for MFA after upgrade to OIE that they are not receiving today due to the way the Classic Engine satisfies the MFA requirement on behalf of the user?
Hopefully someone who has upgraded from Classic to OIE who is configured similarly with Azure AD (aka Entra) and Windows Hello can tell us what they experienced after the upgrade to OIE and if there were issues of concern, and if so, how the issues were resolved.
Thank you,
J
Hello,
I have enforced Okta verify for all users with 100% enrollment.
How easy is it now to go passwordless?
Fastpass is enabled and prompting for password - thanks