Stormpath-Okta Customer FAQ

Stormpath has joined Okta! This FAQ is intended to help Stormpath customers and users understand the impact to their applications and how to get help with migrating their applications.

Overview

What’s happening?

What level of service and support will Stormpath users get within 6 months?

Migration

Can I get my data out of Stormpath?

  • The Stormpath team is working on tools to automate export of data from your Stormpath tenant, including password hashes. We are targeting availability by the end of April and will keep you informed via email when it becomes available.

What is Okta?

  • Much like Stormpath, Okta is an Identity API for Developers, offering authentication, authorization, and API access management for web, mobile, and API services. You can learn more or sign up for a free account at https://www.okta.com/developer/signup/stormpath

How do I migrate my service to Okta?

Will Okta provide the same features I use in Stormpath today?

  • Many of our features overlap. With Okta you can perform authentication, authorization, social logins, two-factor authentication, SSO across apps, AD/LDAP integration, email customization, SAML integration, and much more. For a more detailed breakdown of feature support, please refer to our compatibility matrix below.

Can I use a Stormpath Framework Integration (like Express, Spring, ASP.NET) with Okta?

  • We are updating the following framework integrations to help Stormpath customers move to Okta. Applications using Stormpath can upgrade their framework integrations to a version which will talk to Okta API. Refer to the feature compatibility matrix below to confirm which features will map over to Okta.
    • Java Spring
    • Java Spring Boot
    • Node Express
    • ASP.NET 4.x
    • ASP.NET Core
  • If you’re connecting to Stormpath with a different framework, you can still move to Okta but will need to integrate directly with the Okta API. Please contact [email protected] for assistance.

What if am using a Stormpath client such as Angular, React, iOS, or Android?

  • The client sdks will continue working if you are using one of the server-side framework integrations that Stormpath is migrating over.

Can I use a Stormpath SDKs (like Java, C#, and Node.js) with Okta?

  • We are not migrating the Stormpath SDKs to work with the Okta API. Together with the Okta team, we will develop robust, new SDKs for the Okta API, but these may not be available before Stormpath is shut down. Okta has a REST API that provides functionality similar to the Stormpath API. This can be used in the interim while new Okta SDKs are being developed.

What if I choose to change identity providers?

  • We are targeting availability of export tools for all Stormpath users by the end of April, regardless of how you choose to power identity in your application going forward.
  • We firmly believe that going forward, Okta is the only Identity API for Developers that offers the security and reliability we would build a business on. Our top priority is to provide a smooth, simple transition for Stormpath users to the Okta platform. We’ve worked closely with the Okta team to make affordable pricing options available to all Stormpath users, in addition to the migration tooling.

Billing

What happens to my Stormpath subscription?

  • You will continue to be billed by Stormpath until you cancel your subscription, which you can do at any time in the Stormpath admin console. If you have not canceled by 8/17/2017, your subscription will automatically cancel and your data will be securely deleted on that date.

I’ve pre-paid for more than 6 months of service. What happens to me?

Is there a free version of Okta?

  • Yes! Okta has a free developer edition you can start exploring today at https://www.okta.com/developer/signup/stormpath.
  • Okta is also working on a new version of the Okta developer platform that is customized for existing Stormpath customers. Stormpath customers that will be notified separately when this is available.

How much will it cost to use Okta in Production?

  • Stormpath users with a free developer account can continue to use Okta for free. Forever.
  • Stormpath is reaching out to Enterprise customers to explain the options available for migrating to the Okta developer platform along with custom pricing.
  • For paid users of the Stormpath Public API, Okta is working on a free version of the Okta developer platform that will be customized for Stormpath customers. You will be notified directly when this is available.

Technical

Are you sharing my users’ information with Okta?

  • Not without your consent. However, if you decide to migrate your user data into Okta, then it will be transferred in order to complete the migration.

Will the data export be secure?

  • Security and reliability are our top priorities. Hashed passwords will be a component of your data export, to assist in seamless migration. Your data will be encrypted while being exported via AES256-CBC. The final data will be sent to you in an encrypted zip file that may be unlocked with a password you choose.

What happens to my data after Stormpath shuts down?

  • The Stormpath API and servers will be shut down at noon PDT 8/17/2017. After that point, you will no longer have access to your data. Your data will be securely deleted.

Do I need to plan for downtime for my application?

  • Yes. You will need to plan for some downtime when migrating a production Stormpath application to Okta. You will need to:
    • Pause your service in production.
    • Request an export of your Stormpath data.
    • Import your Stormpath data dump into Okta.
    • Update your production code to talk to Okta.
    • Resume running your service in production.

Will my users have to reset their passwords?

  • No. If you choose to migrate to Okta, your Stormpath password hashes will be moved into your new Okta user accounts. This makes resetting your user passwords unnecessary.

Will OAuth tokens need to be refreshed?

  • Yes. Once you’ve migrated your data to Okta, your users will be logged out and will need to re-login to your application. This is a one-time procedure that should not negatively affect user experience.
     
     
     

Compatibility Matrix

 

Feature Available on Okta Today? Additional Notes
Protocols
OAuth 2.0 Yes Okta supports the following grant_types: password, client_credentials, implicit, authorization_code
OpenID Connect Yes Okta is a certified OpenID Connect Provider for the following profiles:

  • Basic OP
  • Implicit OP
  • Hybrid OP
  • Config OP
SAML Yes
Active Directory Yes, with Caveats Active Directory Agents will need to be recreated in Okta. Okta supports read / write to Active Directory
LDAP Yes, with Caveats LDAP Agents will need to be recreated in Okta. Okta supports read / write to LDAP
Authentication Methods
Username and Password Yes Via Password Grant
Facebook Yes
Google Yes
LinkedIn Yes
Github No
Twitter No
Social Generic OAuth 2.0 No
SAML Yes IdP and SP initiated
Active Directory Yes, with Caveats Active Directory Agents will need to be recreated in Okta. Okta supports read / write to Active Directory
LDAP Yes, with Caveats LDAP Agents will need to be recreated in Okta. Okta supports read / write to LDAP
API Key Authentication Yes, with Caveats During migration, a user will be created in Okta with the API key ID in the login field and the API key secret as the password. Integrations will be updated to use the password grant type for these credentials
Multifactor Authentication Yes, with Caveats Factors will need to be recreated.  Okta supports: TOTP, SMS,Voice, Security Questions, Mobile Push, and FIDO U2F.  Okta supports geolocation policies for adaptive multifactor authentication.
Features
Custom Data Yes, with Caveats Okta supports additional attributes on the User object (account in Stormpath), with Okta’s Schema API. Attributes must be flat (no nested JSON), and are strongly typed. No custom data can be created on other resources in Okta.
Custom Data Search Yes, with Caveats New query language must be used to perform search. Search only works against User objects.
OAuth 2.0 Token Generation Yes
OAuth 2.0 Token Revocation Yes
OAuth 2.0 Token TTLs Yes
Groups Yes
Organizations Yes, with Caveats Okta Groups can be used to label organizational information.
Customized Emails Yes, with Caveats Okta supports the following email templates: User Activation, Forgot Password, Password Reset by Admin, Unlock Account
Custom SMTP Sender No
Email Whitelist / Blacklist No
Multi-tenancy Yes, with Caveats Okta will migrate organizations over by creating Okta groups with the “org:” prefix to keep the organizational mapping information. Individual users can only exist uniquely once per Okta tenant, so you cannot have multiple accounts with the same username or email.
Password Strength Requirements Yes, with Caveats Okta does not support diacritics
ID Site No Okta does not host login screens like ID site. You can, however, implement this functionality yourself by hosting a website that uses the Okta widget.