Migrate from Okta
Step-by-step guide to migrate from Okta to TigerIdentity for dynamic access control
Migration Overview
This guide walks you through migrating from Okta (or any SAML/SCIM IdP) to TigerIdentity's continuous access control platform. The migration is incremental - you can keep Okta as your SSO provider while adding dynamic authorization.
Migration Strategy
We recommend a hybrid approach where Okta continues to handle authentication (SSO), while TigerIdentity takes over authorization (access control). This minimizes disruption and allows gradual rollout.
Timeline & Effort
Duration: 2-3 weeks for production migration
Effort: 1 security engineer + 1 app team lead
Downtime: Zero - parallel run before cutover
Planning
Audit current Okta configuration
Inventory Your Okta Setup
Document what you're currently using in Okta:
Users & Groups
- • How many users? (Active, suspended, deprovisioned)
- • Group structure and naming conventions
- • Custom user attributes (department, cost center, etc.)
- • Profile source (Okta, AD, HR system via SCIM)
Application Assignments
- • Which apps use Okta for SSO?
- • Group-based app assignments vs. individual
- • Custom claims/attributes sent to apps
- • Any custom authorization rules in Okta
Provisioning & Lifecycle
- • SCIM provisioning to downstream apps?
- • Automated deprovisioning on termination?
- • Lifecycle management hooks or workflows
Export Okta Data
# Use Okta API to export users and groups
# Install Okta CLI: https://cli.okta.com
# Export all users
okta users list --format json > okta-users.json
# Export all groups
okta groups list --format json > okta-groups.json
# Export application assignments
okta apps list --format json > okta-apps.json
# Get group memberships
okta group-members list --group-id <group-id> > group-members.jsonConnect Okta as Identity Source
Sync users and groups to TigerIdentity
Configure TigerIdentity to pull identity data from Okta via SCIM or Okta API.
Option A: SCIM Sync (Recommended)
# connectors/okta-scim.yaml
apiVersion: v1
kind: Connector
metadata:
name: okta-production
spec:
type: scim
config:
# Okta SCIM endpoint
endpoint: https://your-domain.okta.com/api/v1/scim/v2
# Authentication
auth:
type: oauth2
client_id: $OKTA_CLIENT_ID
client_secret: $OKTA_CLIENT_SECRET
token_url: https://your-domain.okta.com/oauth2/v1/token
# Sync settings
sync_interval: 15m # Sync every 15 minutes
full_sync_interval: 24h # Full resync daily
# What to sync
resources:
- users
- groups
- group_memberships
# Attribute mapping (Okta -> TigerIdentity)
attribute_mapping:
user:
email: emails[primary eq true].value
first_name: name.givenName
last_name: name.familyName
department: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
manager: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value
employee_id: externalId
job_title: title
cost_center: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter
group:
name: displayName
external_id: externalIdOption B: Okta API Connector
# connectors/okta-api.yaml
apiVersion: v1
kind: Connector
metadata:
name: okta-api-connector
spec:
type: okta
config:
domain: your-domain.okta.com
api_token: $OKTA_API_TOKEN # Create in Okta Admin > Security > API
sync_interval: 15m
# Additional Okta-specific data
sync_options:
include_suspended_users: false
include_app_assignments: true # Import app assignments as resources
include_admin_roles: true # Sync Okta admin rolesDeploy and Verify Sync
# Deploy connector
tigeridentity connector create -f connectors/okta-scim.yaml
# Trigger initial sync
tigeridentity connector sync okta-production --full
# Check sync status
tigeridentity connector status okta-production
# Verify user count matches
tigeridentity principals list --source okta-production --count
# Should match your Okta active user count
# Verify groups imported
tigeridentity groups list --source okta-productionPro Tip: Test with Read-Only First
Start with read-only sync to verify data flows correctly. Once validated, enable write-back if needed.
Map Users & Groups
Translate Okta attributes to TigerIdentity schema
Attribute Mapping Table
| Okta Field | TigerIdentity Field | Notes |
|---|---|---|
login | principal_id | Unique identifier |
email | email | Primary email |
profile.department | attributes.department | Used in policies |
profile.manager | relationships.manager | For approval workflows |
profile.title | attributes.job_title | Job title |
profile.employeeNumber | attributes.employee_id | HR system ID |
profile.costCenter | attributes.cost_center | For chargeback |
| Okta Group | groups[] | Multi-valued |
Group Mapping Strategy
TigerIdentity uses groups differently than Okta. In Okta, groups often directly grant app access. In TigerIdentity, groups are attributes used in policy evaluation.
Create Equivalent Policies
Convert Okta app assignments to TigerIdentity policies
Translate your Okta group-based access into dynamic TigerIdentity policies.
Example Translation
Before (Okta)
Group: engineering-prod-db-access
Members: 25 engineers
Apps: AWS (prod), Datadog
Access: Permanent, 24/7
After (TigerIdentity)
Policy: prod-database-jit-access
Who: department=engineering
What: environment=production, type=database
When: JIT with approval, 2h sessions
Policy Definition
# policies/migrate-from-okta-example.yaml
apiVersion: v1
kind: Policy
metadata:
name: prod-database-access
description: "Migrated from Okta group: engineering-prod-db-access"
spec:
# Resources (what)
resources:
- type: database
environment: production
# Default deny
default_decision: deny
rules:
# Engineers get JIT access with approval
- name: engineering-jit-access
effect: allow_with_approval
principals:
# Map from Okta groups
groups: [engineering, platform-team]
# Or use department attribute
department: engineering
actions: [query, admin]
approval:
required: true
approvers:
- type: manager
- type: group
group: database-admins
session:
max_duration: 2h
require_justification: true
# Database admins get longer sessions
- name: dba-extended-access
effect: allow_with_approval
principals:
groups: [database-admins]
actions: [query, admin, configure]
approval:
required: true
approvers:
- type: role
role: security_lead
session:
max_duration: 8h
# Break-glass emergency access
- name: emergency-access
effect: allow
principals:
groups: [oncall-engineers, database-admins]
context:
emergency: true
session:
max_duration: 4h
notifications:
- channel: slack
webhook: https://hooks.slack.com/services/...
message: "Emergency DB access: {principal} -> {resource}"Migration Tip
Start by replicating Okta's access model 1:1, then gradually introduce JIT and dynamic policies. Don't try to redesign everything on day one.
Parallel Run
Test TigerIdentity alongside Okta
Run both systems in parallel to validate TigerIdentity policies match Okta's behavior.
Audit Mode
# Deploy policies in audit mode (log only, don't enforce)
tigeridentity policy deploy prod-database-access \
--mode audit \
--duration 7d
# TigerIdentity will:
# 1. Evaluate every access request
# 2. Log what the decision WOULD be
# 3. NOT block any access
# 4. Compare to Okta's decision
# Review audit logs
tigeridentity audit query \
--policy prod-database-access \
--mode audit \
--output comparison.json
# Look for discrepancies
{
"total_requests": 1247,
"matches": 1198, # TigerIdentity and Okta agree
"discrepancies": 49, # Investigate these
"breakdown": {
"tigeridentity_allow_okta_deny": 12,
"tigeridentity_deny_okta_allow": 37
}
}Shadow Mode
Instrument your applications to call both Okta and TigerIdentity, but only enforce Okta's decision.
// Example: Shadow mode in application code
async function checkAccess(user, resource, action) {
// Production: Okta decision is enforced
const oktaDecision = await oktaClient.checkAccess(user, resource);
// Shadow: TigerIdentity evaluated but not enforced
const tigerDecision = await tigerIdentityClient.checkAccess({
principal: user.id,
resource: resource.id,
action: action,
mode: "shadow"
});
// Log discrepancies
if (oktaDecision.allowed !== tigerDecision.allowed) {
logger.warn("Access decision mismatch", {
user, resource, action,
okta: oktaDecision.allowed,
tigeridentity: tigerDecision.allowed
});
}
// Only enforce Okta for now
return oktaDecision.allowed;
}Parallel Run Checklist
- Run for at least 7 days to capture weekly access patterns
- Investigate all discrepancies (>95% match rate before cutover)
- Test break-glass and emergency access scenarios
- Validate approval workflows with real users
Cutover
Switch from Okta to TigerIdentity
Gradually migrate applications from Okta authorization to TigerIdentity.
Application-by-Application Rollout
Week 1: Internal Tools
Start with low-risk internal apps (monitoring dashboards, wikis)
Week 2: Development Environments
Dev and staging databases, cloud accounts
Week 3: Production (Non-Critical)
Production systems with lower blast radius
Week 4: Production (Critical)
Core production databases, payment systems
Switch to Enforce Mode
# Enable enforcement for specific app
tigeridentity policy deploy prod-database-access \
--mode enforce \
--scope '{"resources": {"app": "internal-dashboard"}}'
# Monitor for issues
tigeridentity audit tail --policy prod-database-access --live
# If all good, expand to more apps
tigeridentity policy deploy prod-database-access \
--mode enforce \
--scope '{"resources": {"environment": "development"}}'
# Finally, full production
tigeridentity policy deploy prod-database-access \
--mode enforce \
--scope all
# Verify Okta is no longer making authorization decisions
# (Keep Okta for SSO/authentication)Rollback Plan
Before cutover, ensure you can quickly rollback to Okta if issues arise:
tigeridentity policy deploy prod-database-access --mode disabledPost-Migration
Optimize and decommission Okta authorization
Clean Up Okta
Once TigerIdentity is fully handling authorization, you can simplify Okta:
- Remove app-specific access groups (keep organizational groups)
- Disable SCIM provisioning for apps now managed by TigerIdentity
- Keep Okta for: SSO, MFA, user lifecycle (optional)
- Potentially downgrade Okta license (fewer features needed)
Introduce Dynamic Features
Now that you're on TigerIdentity, add features impossible in Okta:
Context-Aware Policies
Deny access from untrusted IPs, require MFA for risky actions
JIT Access
Convert standing privileges to time-limited sessions
Risk-Based MFA
Step up auth for sensitive actions, not just login
Real-Time Revocation
Revoke access instantly on termination or incident
Common Gotchas
Nested Group Memberships
Okta supports nested groups; TigerIdentity flattens them during sync. Verify users have expected groups.
SAML Attribute Names
If you're using custom SAML attributes, ensure TigerIdentity can map them. Check attribute mapping config.
Deprovisioning Delays
Okta might deprovision users immediately, but TigerIdentity sync runs every 15min. Configure real-time webhooks for critical apps.
Service Accounts
Okta service accounts don't have managers. Use fallback approvers or auto-approval with logging for service account access.
Ready to Migrate from Okta?
Our migration team can help with planning and execution