Migrate from Okta-API-based auth to Okta-OIDC-based auth

What is the migration path to OIDC auth for an environment currently utilizing Okta-API-based auth?

The OIDC backend will still be Okta, so all our identity & group information will be the same.

We do not want to re-invent all our stuff and want to understand the best approach to migrating, retain all of the groups and policies. As seamless as possible.

Please advise. Thanks!

Assuming you’re assigning policies with Identity, you can pre-add aliases to your entities that correspond to the OIDC mount. That way when people log in they will get the same entity attached to their token, and thus any policies from their entity or group memberships.

Outside of that, there is no migration path. They are totally separate plugins.

@jeff - we are not using Identity. We do not have Entities established. Policies are assigned directly to Okta groups via the native Okta auth plugin.

Is it possible to directly assign policies to groups via OIDC auth? This is our goal…

Or is it required to establish entities and link OIDC external groups to internal groups?