Additional information about each of the key dates is included below.

1/16/2025 - Okta cutover for non-production environments

To help ensure that access to your applications is retained during the move to Okta, IAM will update all HarvardKey-integrated non-production registrations (P-1 and below) to use Okta for authentication. This migration of non-production environments offers a valuable opportunity for you to help us ensure that your application continues to operate as expected when we switch HarvardKey to Okta on 2/11/25.

If you need to request an exception for one of your applications’ non-production environments, please notify us by emailing iam_help@harvard.edu and include the subject line: “HarvardKey non-production environment exception request.”

User Impact

As of the cutover, users accessing your non-production environments will see a new HarvardKey sign in page hosted by Okta. The first time an active Duo user accesses an application using this sign in page they will be prompted to link their existing Duo account to Okta by accepting a standard Duo push.

If there is a strong business reason why one of your non-production environments should not be included in the initial cutover and you would like to request an exception to delay until the production cutover, please email iam_help@harvard.edu and include the subject line: “HarvardKey non-production environment exception request”

Changes to handling MFA and SSO enabled configurations

With the move to Okta IAM will offer 3 security tier options to address varying needs around requiring MFA, restricting the types of MFA available to users (e.g., disallow SMS/phone), and requiring a user to sign in every time they access an application. If your current configuration aligns with one of the new security tiers, no action will be required. If your current configuration does not align with the new tiers, IAM will reach out to you with additional details.

1/14/25 - 2/11/25 - Change freeze for HarvardKey registrations

To ensure a smooth transition from our existing HarvardKey authentication service to Okta, IAM will institute a change freeze for HarvardKey registrations in our current infrastructure following the standard IdP release on Tuesday, January 14, 2025 and ending following the cutover on Tuesday, February 26, 2025. During this time, requests to add or modify applications integrated with the current HarvardKey infrastructure will be suspended. New HarvardKey registrations in Okta will continue to be processed during this window.

If you have a registration that must be updated prior to February 26th due to time-sensitive circumstances, for example, to replace an expiring certificate or support rollout of a new service, please email iam_help@harvard.edu for assistance.

2/6/25 - Optional Production Pilot Testing Session

IAM is hosting an optional testing session on Thursday, February 6th, from 7:00-9:00 AM to allow application teams to validate the authentication for production HarvardKey-integrated applications. During this limited testing window, participating applications will have an “Or sign-in with OKTA PILOT” link temporarily added to your application’s HarvardKey sign-in screen, allowing you to validate the Okta sign-in experience.

If you are the registration manager for one or more HarvardKey-integrated applications and would like to participate in this 2-hour testing window, please send an email to iam_help@harvard.edu with the subject “Okta Migration Production Pilot Session” and include the registration number(s) you would like us to include in the testing session.

We strongly encourage application teams with third-party integrations, such as Outlook plugins, that require HarvardKey authentication to participate in this session.

For application teams interested in adding “Or sign-in with OKTA PILOT” as a secondary sign-in option on their production environment until the Okta cutover, we are happy to accommodate requests outside of this limited testing window. Please send an email to iam_help@harvard.edu with the subject “Request for non-exclusive delegation to Okta” and include the registration number(s) to which you’d like to add the link.

2/26/25 - Okta cutover for HarvardKey in production

On Thursday, February 26th, 2025, IAM will delegate authentication for all HarvardKey registrations to Okta and all HarvardKey users will see a new sign in page. As noted above, the first time an active Duo user accesses an application using this sign in page they will be prompted to link their existing Duo account to Okta by accepting a standard Duo push.

Following the production cutover, application teams are asked to sign in to all production environments and report any issues immediately. Additional information about the production cutover including a Zoom bridge will be provided in a future message.

February 2025 - August 2026 - Okta migration

For the initial Okta cutover IAM will be delegating authentication from the current HarvardKey infrastructure to Okta. In order to retire the existing infrastructure and achieve the full benefits of Okta’s authentication services all applications integrated with the legacy infrastructure must migrate to integrate directly with Okta. This migration effort will start in earnest following the Okta cutover in February 2025 and continue through the summer of 2026. The IAM team will partner with application teams to complete the migration. Additional information about the migration process will be sent to application teams following the Okta cutover.

Reporting Issues with HarvardKey Integrations

Registration managers for HarvardKey-integrated applications should report any issues to IAM by sending an email to iam_help@harvard.edu, and providing the following information:

• Registration ID

• URL to access the login screen (to allow validation)