Stormpath has joined Okta! This FAQ is intended to help Stormpath customers and users understand the impact to their applications and how to get help with migrating their applications.
Overview
What’s happening?
- The Stormpath team has joined Okta. Read more in our announcement blogpost.
- The Stormpath APIs will remain in service until 8/17/2017 at noon PST.
- On that date and time, Stormpath APIs will be shut down.
- Stormpath users will be able to migrate their data into Okta, and may also export their Stormpath data to use as desired.
- Existing framework integrations for Java, Express and .NET will be updated to use Okta over the next several months. These will point your application to Okta with a simple version upgrade and minimal service disruption.
- If you’re connecting to Stormpath with a different framework, you can still move to Okta, but will need to integrate directly with the Okta API. Please contact [email protected] for assistance.
What level of service and support will Stormpath users get within 6 months?
- Existing Stormpath implementations will be supported during this time, via normal Stormpath support channels. Please email [email protected] for assistance.
- No new feature development on the Stormpath APIs will occur, but the service will be maintained until 8/17/2017. Ongoing status updates can be found on https://status.stormpath.com. Security, availability, and reliability will remain key values for everyone at Stormpath and Okta.
- The Stormpath SDKs will be in maintenance mode until 8/17/2017 when they will be decommissioned.
Migration
Can I get my data out of Stormpath?
- The Stormpath team built an export tool to automate export of data from your Stormpath tenant, including password hashes. You can find more information at https://stormpath.com/export
What is Okta?
- Much like Stormpath, Okta is an Identity API for Developers, offering authentication, authorization, and API access management for web, mobile, and API services. You can learn more or sign up for a free account at https://www.okta.com/developer/signup/stormpath
How do I migrate my service to Okta?
- To get familiar with Okta you can sign up for a free-forever developer account at https://www.okta.com/developer/signup/stormpath and start working with the Okta API immediately.
- You can easily import your Stormpath data into an Okta tenant. Please see http://developer.okta.com/documentation/stormpath-import for instructions and email [email protected] with any questions about the import functionality
- Stormpath users have access to normal support channels to answer questions. Please email [email protected] for assistance.
- Applications moving to Okta can also get assistance by emailing [email protected]. Stormpath and Okta product and support teams are working together to ensure a seamless migration path that minimizes pain for development teams.
- Okta will also offer professional services for migrating Stormpath customers. Please contact your Okta sales representative to discuss further.
Will Okta provide the same features I use in Stormpath today?
- Many of our features overlap. With Okta you can perform authentication, authorization, social logins, two-factor authentication, SSO across apps, AD/LDAP integration, email customization, SAML integration, and much more. For a more detailed breakdown of feature support, please refer to our compatibility matrix below.
Can I use a Stormpath Framework Integration (like Express, Spring, ASP.NET) with Okta?
- We are updating the following framework integrations to help Stormpath customers move to Okta. Applications using Stormpath can upgrade their framework integrations to a version which will talk to Okta API. Refer to the feature compatibility matrix below to confirm which features will map over to Okta.
- Java Spring
- Java Spring Boot
- Node Express
- ASP.NET 4.x
- ASP.NET Core
- If you’re connecting to Stormpath with a different framework, you can still move to Okta but will need to integrate directly with the Okta API. Please contact [email protected] for assistance.
What if am using a Stormpath client such as Angular, React, iOS, or Android?
- The client sdks will continue working if you are using one of the server-side framework integrations that Stormpath is migrating over.
Can I use a Stormpath SDKs (like Java, C#, and Node.js) with Okta?
- We are not migrating the Stormpath SDKs to work with the Okta API. Together with the Okta team, we will develop robust, new SDKs for the Okta API, but these may not be available before Stormpath is shut down. Okta has a REST API that provides functionality similar to the Stormpath API. This can be used in the interim while new Okta SDKs are being developed.
What if I choose to change identity providers?
- You may utilize the Stormpath export tool regardless of how you choose to power identity in your application going forward.
Billing
What happens to my Stormpath subscription?
- You will continue to be billed by Stormpath until you cancel your subscription, which you can do at any time in the Stormpath admin console. If you have not canceled by 8/17/2017, your subscription will automatically cancel and your data will be securely deleted on that date.
I’ve pre-paid for more than 6 months of service. What happens to me?
- Please contact [email protected] and Kelsey will assist you with migration and contract resolution.
Is there a free version of Okta?
- Current Stormpath users can register for a free Okta Account at https://www.okta.com/developer/signup/stormpath.
- New Okta pricing plans are available for Stormpath users to explore at http://developer.okta.com/pricing-preview.
How much will it cost to use Okta in Production?
- Please visit http://developer.okta.com/pricing-preview/ for information on all available pricing plans.
Technical
Are you sharing my users’ information with Okta?
- Not without your consent. However, if you decide to migrate your user data into Okta, then it will be transferred in order to complete the migration.
Will the data export be secure?
- Security and reliability are our top priorities. Hashed passwords will be a component of your data export, to assist in seamless migration. Your data will be encrypted while being exported via AES256-CBC. The final data will be sent to you in an encrypted zip file that may be unlocked with a password you choose.
What happens to my data after Stormpath shuts down?
- The Stormpath API and servers will be shut down at noon PDT 8/17/2017. After that point, you will no longer have access to your data. Your data will be securely deleted.
Do I need to plan for downtime for my application?
- Yes. You will need to plan for some downtime when migrating a production Stormpath application to Okta. You will need to:
- Pause your service in production.
- Request an export of your Stormpath data.
- Import your Stormpath data dump into Okta.
- Update your production code to talk to Okta.
- Resume running your service in production.
Will my users have to reset their passwords?
- No. If you choose to migrate to Okta, your Stormpath password hashes will be moved into your new Okta user accounts. This makes resetting your user passwords unnecessary.
Will OAuth tokens need to be refreshed?
- Yes. Once you’ve migrated your data to Okta, your users will be logged out and will need to re-login to your application. This is a one-time procedure that should not negatively affect user experience.
Compatibility Matrix
| Feature | Available on Okta Today? | Additional Notes |
| Protocols | ||
| OAuth 2.0 | Yes | Okta supports the following grant_types: password, client_credentials, implicit, authorization_code |
| OpenID Connect | Yes | Okta is a certified OpenID Connect Provider for the following profiles:
|
| SAML | Yes | |
| Active Directory | Yes, with Caveats | Active Directory Agents will need to be recreated in Okta. Okta supports read / write to Active Directory |
| LDAP | Yes, with Caveats | LDAP Agents will need to be recreated in Okta. Okta supports read / write to LDAP |
| Authentication Methods | ||
| Username and Password | Yes | Via Password Grant |
| Yes | ||
| Yes | ||
| Yes | ||
| Github | No | |
| No | ||
| Social Generic OAuth 2.0 | No | |
| SAML | Yes | IdP and SP initiated |
| Active Directory | Yes, with Caveats | Active Directory Agents will need to be recreated in Okta. Okta supports read / write to Active Directory |
| LDAP | Yes, with Caveats | LDAP Agents will need to be recreated in Okta. Okta supports read / write to LDAP |
| API Key Authentication | Yes, with Caveats | During the migration, for each API Key (up to 10): The API Key ID & Secret are put into the next open slot on the Okta user profile (attribute is called “stormpathApiKey_[1-10]). Its format should be {apiKey.id}:{apiKey.secret}. |
| Multifactor Authentication | Yes, with Caveats | Factors will need to be recreated. Okta supports: TOTP, SMS,Voice, Security Questions, Mobile Push, and FIDO U2F. Okta supports geolocation policies for adaptive multifactor authentication. |
| Features | ||
| Custom Data | Yes, with Caveats | Okta supports additional attributes on the User object (account in Stormpath), with Okta’s Schema API. Attributes must be flat (no nested JSON), and are strongly typed. No custom data can be created on other resources in Okta. |
| Custom Data Search | Yes, with Caveats | New query language must be used to perform search. Search only works against User objects. |
| OAuth 2.0 Token Generation | Yes | |
| OAuth 2.0 Token Revocation | Yes | |
| OAuth 2.0 Token TTLs | Yes | |
| Groups | Yes | |
| Organizations | Yes, with Caveats | Okta Groups can be used to label organizational information. |
| Customized Emails | Yes, with Caveats | Okta supports the following email templates: User Activation, Forgot Password, Password Reset by Admin, Unlock Account |
| Custom SMTP Sender | Yes, with Caveats | While Stormpath supported any custom SMTP, Okta currently only supports Sendgrid. |
| Email Whitelist / Blacklist | No | |
| Multi-tenancy | Yes, with Caveats | Okta will migrate organizations over by creating Okta groups with the “org:” prefix to keep the organizational mapping information. Individual users can only exist uniquely once per Okta tenant, so you cannot have multiple accounts with the same username or email. |
| Password Strength Requirements | Yes, with Caveats | Okta does not support diacritics |
| ID Site | No | Okta does not host login screens like ID site. You can, however, implement this functionality yourself by hosting a website that uses the Okta widget. |