Migrating from Okta
Comprehensive guide to migrate your application from Okta to Signia while maintaining security and user access.
Why Migrate to Signia?
Advantages Over Okta
- 💰 Cost-effective - Lower pricing, especially for SMBs
- 🔐 Passwordless-first - WebAuthn/Passkeys native
- 🎨 Modern UX - Better developer and end-user experience
- 🌐 Web3-ready - Blockchain identity integration
- 🚀 Faster implementation - Simpler SDK and APIs
Migration Overview
Migration Paths
1. Gradual Migration (Recommended)
- Parallel operation of Okta and Signia
- Incremental user migration
- Low risk, zero downtime
- Can take several weeks
2. Direct Cutover
- Switch all users simultaneously
- Requires maintenance window
- Faster overall process
- Higher risk
Pre-Migration Assessment
1. Inventory Your Okta Setup
Document your current configuration:
Applications:
- Web applications (OAuth/OIDC)
- Single-page applications (SPA)
- Mobile applications
- API services
- Legacy SAML apps
Identity Sources:
- Okta Universal Directory
- Active Directory
- LDAP Directory
- HR systems (Workday, BambooHR)
Authentication:
- Password policies
- MFA configuration (Okta Verify, SMS, etc.)
- Social providers (Google, Microsoft, etc.)
- Federation (SAML IdP)
Customizations:
- Okta Expression Language rules
- Custom attributes
- Group rules
- Sign-on policies
- Custom branding
2. Export Data from Okta
User Export
# Using Okta API
curl -X GET \
'https://YOUR_DOMAIN.okta.com/api/v1/users?limit=200' \
-H 'Authorization: SSWS YOUR_API_TOKEN'
Export includes:
- User profiles
- Email addresses
- Custom attributes
- Group memberships
- Status (active, suspended, etc.)
Application Export
# List all applications
curl -X GET \
'https://YOUR_DOMAIN.okta.com/api/v1/apps' \
-H 'Authorization: SSWS YOUR_API_TOKEN'
Step-by-Step Migration
Phase 1: Setup Signia
1. Create Signia Tenant
- Sign up at signiaid.com
- Create your organization
- Note tenant URL:
yourorg.signiaauth.com
2. Configure Applications
For each Okta application:
Okta Application Settings:
Application Name: My App
Sign-on method: OIDC - OpenID Connect
Application type: Web Application
Login redirect URIs: https://myapp.com/authorization-code/callback
Equivalent Signia Configuration:
Name: My App
Type: Web Application
Login Redirect URL: https://myapp.com/oidc-callback
Scopes: openid, profile, email
Mapping Table:
| Okta | Signia |
|---|---|
| Okta Domain | Issuer: https://yourorg.signiaauth.com |
| Client ID | Client ID (new) |
| Client Secret | Client Secret (new) |
| Login redirect URIs | Login Redirect URL |
| Sign-on method | Always OIDC |
| Trusted Origins | CORS configuration |
Phase 2: Update Application Code
Okta SDK (Before)
React:
import { OktaAuth } from '@okta/okta-auth-js';
import { Security } from '@okta/okta-react';
const oktaAuth = new OktaAuth({
issuer: 'https://YOUR_DOMAIN.okta.com/oauth2/default',
clientId: 'OKTA_CLIENT_ID',
redirectUri: window.location.origin + '/login/callback'
});
<Security oktaAuth={oktaAuth}>
<App />
</Security>
Node.js:
import { ExpressOIDC } from '@okta/oidc-middleware';
const oidc = new ExpressOIDC({
issuer: 'https://YOUR_DOMAIN.okta.com/oauth2/default',
client_id: 'OKTA_CLIENT_ID',
client_secret: 'OKTA_CLIENT_SECRET',
appBaseUrl: 'http://localhost:3000',
redirect_uri: 'http://localhost:3000/authorization-code/callback',
scope: 'openid profile email'
});
Signia SDK (After)
React:
import { SigniaAuthProvider } from '@getsignia/signia-auth-ui-react';
<SigniaAuthProvider config={{
clientId: 'SIGNIA_CLIENT_ID',
redirectUri: 'http://localhost:3000/oidc-callback',
issuer: 'https://yourorg.signiaauth.com',
scopes: ['openid', 'profile', 'email']
}}>
<App />
</SigniaAuthProvider>
Node.js:
import { OIDCClient } from '@getsignia/signia-auth-sdk';
const oidcClient = new OIDCClient({
clientId: process.env.SIGNIA_CLIENT_ID,
clientSecret: process.env.SIGNIA_CLIENT_SECRET,
redirectUri: 'http://localhost:3000/oidc-callback',
issuer: 'https://yourorg.signiaauth.com',
scopes: ['openid', 'profile', 'email']
});
API/Hook Mapping
| Okta | Signia |
|---|---|
useOktaAuth() | useSigniaAuth() |
authState.isAuthenticated | isAuthenticated |
authState.isPending | isLoading |
authState.idToken | user (decoded) |
authState.accessToken | client.getAccessToken() |
oktaAuth.signInWithRedirect() | client.login() |
oktaAuth.signOut() | client.logout() |
oktaAuth.getUser() | user |
oktaAuth.tokenManager.get() | client.getAccessToken() |
Example Code Changes
Before (Okta):
import { useOktaAuth } from '@okta/okta-react';
function Profile() {
const { oktaAuth, authState } = useOktaAuth();
const login = async () => oktaAuth.signInWithRedirect();
const logout = async () => oktaAuth.signOut();
if (!authState || authState.isPending) {
return <div>Loading...</div>;
}
if (!authState.isAuthenticated) {
return <button onClick={login}>Log in</button>;
}
return (
<div>
<h2>Welcome, {authState.idToken?.claims.name}</h2>
<button onClick={logout}>Log out</button>
</div>
);
}
After (Signia):
import { useSigniaAuth, LoginButton, LogoutButton } from '@getsignia/signia-auth-ui-react';
function Profile() {
const { user, isAuthenticated, isLoading } = useSigniaAuth();
if (isLoading) {
return <div>Loading...</div>;
}
if (!isAuthenticated) {
return <LoginButton />;
}
return (
<div>
<h2>Welcome, {user?.name}</h2>
<LogoutButton />
</div>
);
}
Phase 3: User Migration
Option 1: Fresh Registration (Recommended)
Benefits:
- Users adopt WebAuthn/Passkeys (passwordless)
- Clean migration
- Enhanced security
- Better UX
Process:
- Export user list from Okta
- Send invitations via Signia dashboard
- Users register with passkeys
- Link accounts if needed (same email)
Bulk Invitation:
# Prepare CSV: email, name
curl -X POST https://api.signiaid.com/v1/users/invite \
-H "Authorization: Bearer YOUR_TOKEN" \
-F "file=@users.csv"
Option 2: Parallel Authentication
Run both Okta and Signia:
// Feature flag approach
const authProvider = useFeatureFlag('use-signia') ? 'signia' : 'okta';
if (authProvider === 'signia') {
return <SigniaAuthProvider client={signiaClient}>
<App />
</SigniaAuthProvider>;
}
return <Security oktaAuth={oktaAuth}>
<App />
</Security>;
Phase 4: Enterprise Connections
Active Directory Integration
Okta Configuration:
Directory Integration: Active Directory
Authentication: Username/Password
Provisioning: JIT or scheduled
Signia Configuration (Enterprise):
Coming soon: LDAP/AD Connector
Alternative: SAML federation
Interim: Invite users with email
Migration Path:
- Use SAML federation (if available)
- Map AD groups to Signia roles
- Provision users via API
- Enable JIT provisioning
SAML Applications
For SAML-only apps:
- Configure Signia as SAML IdP (Enterprise feature)
- Export SAML metadata from Signia
- Update service provider configuration
- Test SAML flow
Alternatively: Keep Okta for SAML apps initially, migrate OIDC apps to Signia first.
Phase 5: API Authorization
Update JWT Verification
Okta:
const OktaJwtVerifier = require('@okta/jwt-verifier');
const oktaJwtVerifier = new OktaJwtVerifier({
issuer: 'https://YOUR_DOMAIN.okta.com/oauth2/default',
clientId: 'OKTA_CLIENT_ID'
});
app.use(async (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
const jwt = await oktaJwtVerifier.verifyAccessToken(token, 'api://default');
req.user = jwt.claims;
next();
});
Signia:
import { expressjwt } from 'express-jwt';
import jwksRsa from 'jwks-rsa';
const checkJwt = expressjwt({
secret: jwksRsa.expressJwtSecret({
jwksUri: 'https://yourorg.signiaauth.com/.well-known/jwks.json'
}),
audience: 'YOUR_CLIENT_ID',
issuer: 'https://yourorg.signiaauth.com',
algorithms: ['RS256']
});
app.use('/api', checkJwt);
Key Changes:
- Update
issuerto Signia domain - Update
jwksUrito Signia endpoint - Update
audienceto Signia client ID - Remove Okta-specific verifier
Phase 6: Groups and Roles
Okta Groups
Export groups:
curl -X GET \
'https://YOUR_DOMAIN.okta.com/api/v1/groups' \
-H 'Authorization: SSWS YOUR_API_TOKEN'
Signia Roles
Create equivalent roles:
- In Signia dashboard, go to Settings → Roles
- Create roles matching Okta groups:
Okta: "Engineering", "Marketing", "Admin"
Signia: "engineering", "marketing", "admin" - Assign roles during user migration
Include roles in tokens:
// Custom claims (coming soon)
const user = await signia.getUser();
const roles = user.metadata.roles;
// Include in API responses
res.json({ ...data, roles });
Phase 7: Testing
Test Checklist
Authentication:
- Login with Signia works
- Logout works
- Session persistence works
- Token refresh works
- Concurrent sessions work
Authorization:
- API authentication works
- Protected routes work
- Role-based access works
- Group membership correct
User Experience:
- Login UX acceptable
- Passkey registration smooth
- Biometric login works
- Cross-device sync works
Edge Cases:
- Expired token handling
- Network errors handled
- Invalid credentials handled
- Account lockout works
Phase 8: Gradual Rollout
Week-by-Week Plan
Week 1: Internal Testing
- Migrate internal users (10-20 people)
- Test all features thoroughly
- Gather feedback
- Fix any issues
Week 2-3: Beta Users
- Invite 5-10% of users
- Monitor closely
- Address issues quickly
- Refine processes
Week 4-6: Gradual Expansion
- 25% of users (week 4)
- 50% of users (week 5)
- 75% of users (week 6)
Week 7: Full Migration
- Remaining 25%
- Deprecation notice for Okta
- Final cutover
Week 8: Cleanup
- Deactivate Okta tenant
- Export final data
- Archive Okta configuration
Phase 9: Post-Migration
Deactivate Okta
- Export final data (7-day retention)
- Cancel Okta subscription
- Delete Okta tenant (after backup)
- Update documentation
- Notify stakeholders
Monitor Health
Track for 30 days:
- Login success rate (target: >99%)
- Error rates (target: <0.1%)
- User complaints (target: <5)
- Support tickets (trend down)
- Performance metrics (latency, uptime)
Feature Comparison
Okta vs Signia
| Feature | Okta | Signia | Notes |
|---|---|---|---|
| Password Auth | ✅ | ❌ | Signia is passwordless-only |
| WebAuthn/Passkeys | ✅ | ✅ | Native in Signia |
| Social Login | ✅ | ✅ Partial | Google, GitHub supported |
| SAML | ✅ | 🚧 Enterprise | Coming soon |
| LDAP/AD | ✅ | 🚧 Enterprise | Planned |
| MFA | ✅ Okta Verify | ✅ Built-in | Passkeys are inherently MFA |
| Custom Domains | ✅ | ✅ Enterprise | |
| API Access Mgmt | ✅ | ✅ | |
| User Management | ✅ | ✅ | |
| Group Rules | ✅ | ✅ | Via roles |
| Hooks | ✅ | 🚧 | Coming soon |
| Workflows | ✅ | ❌ | Not planned |
| ThreatInsight | ✅ | 🚧 | Anomaly detection planned |
Common Issues
Issue: "Cannot use password login"
Cause: Signia is passwordless-only
Solution:
- Users must register passkeys
- Support WebAuthn in all browsers
- Provide clear onboarding
Issue: "Groups not syncing"
Cause: No automatic AD sync yet
Solution:
- Manually assign roles in Signia
- Use API for bulk assignment
- Wait for AD connector (enterprise)
Issue: "SAML app not working"
Cause: SAML IdP not configured
Solution:
- Use Okta for SAML apps temporarily
- Contact Signia for enterprise SAML
- Migrate to OIDC if possible
Issue: "Custom claims missing"
Cause: Okta Expression Language rules not migrated
Solution:
- Use user metadata in Signia
- Include claims via API
- Wait for hooks feature
Cost Comparison
Okta Pricing (Workforce Identity)
- Free: 15 apps, 5 groups
- Starter: $2/user/month (100 users min)
- Enterprise: $8+/user/month
- Typical: $5-10/user/month at scale
Signia Pricing
- Free: 10,000 MAU
- Startup: $0.02/MAU
- Business: Volume discounts
- Enterprise: Custom
Example Savings:
- 1,000 users: $60/month vs $5,000/month (Okta)
- 10,000 users: $200/month vs $80,000/month (Okta)
- Potential Savings: 85-95%
Support Resources
During Migration
- Documentation: docs.signiaid.com
- Support: support@signiaid.com
- Community: Discord server
- Migration Guide: This document
Enterprise Support
Contact sales@signiaid.com for:
- Dedicated migration engineer
- Custom integration support
- Priority support queue
- On-site assistance (if needed)
Next Steps
- Quick Start Guide - Get started
- React SDK - Frontend integration
- Security Best Practices - Secure your app
- Dashboard Guide - Admin portal
Migration Checklist
Pre-Migration
- Document Okta configuration
- Export user data
- Export group data
- List all applications
- Review dependencies
Setup
- Create Signia tenant
- Configure applications
- Set up development environment
- Update application code
- Test locally
Migration
- Invite pilot users
- Test authentication flows
- Validate API authorization
- Gradual user rollout
- Monitor metrics
Post-Migration
- Full user migration complete
- Okta data exported
- Okta tenant deactivated
- Documentation updated
- Team trained