Just in time mgration using password import hook and Backup Auth flow

We plan to migrate the users as and when they try to sign in into our system. For that we will use Okta widget to the route auth traffic to Okta directly and use password import hook to migration users in realtime (Just in time migration). But we plan to move the users to Okta in phases.
I had some specific question in my mind:

  • Do we require the user to be created in Okta before actually moving traffic to Okta and doing Just in time migration?
  • Is there a way to programmatically create new user in Okta when they try to login via Okta widget?
  • What happens if a user tries to login via okta widget, its traffics comes to Okta and user is not created in Okta yet?
  • Does okta have a backup flow to send traffic to our onprem backend services for authentication in case the user is currently not being created in Okta?
  • Does Okta redirect the traffic via hooks or something?
  • Does the direct access to Okta work with such flow or do we need create a skim application between Okta and the usere to manage users who are not migrated to Okta?

The Password Import Hook is used strictly to bring a password over from another system into Okta. It can not be used to import profiles. Often users might be imported from another system where their passwords are stored in a non standard non reversible hash. In this case the user profile are imported into Okta using Password Inline Hook Import API call. This needs to be done before the user attempts a login. Since the password is not brought over this particular import sets the account up to use a hook provided by the customer. On login attempts this hook is called, if the password the user enters is valid the hook would return a verified message. Okta then hashes the password and saves it into our system updating the user profile. The next time that user logins, the hook will no longer be called.

There are multiple ways to do JIT with Okta. Either LDAP or AD integrations can be used, both supporting JIT. Any social IDP can be used with JIT, as well as SCIM.

Depending on the complications of your setup I recommend opening a case with support to get the best approach for your specific use case.

Thanks, Eric. If I understand correctly, you are saying that for the use case listed here https://www.okta.com/resources/whitepaper/okta-user-migration-guide/#jit-from-existing-database-15, we cannot use the password import hook but need to have a SCIM application. And our client applications will need to talk to SCIM application but not directly to the Okta endpoints.
Is this the right understanding?
Any other options to do the live migration without the hooks? Thanks agian.