Skip to main content

Skillber v1.0 is here!

Learn more

Migration Strategies

Checking access...

IAM/PAM migrations are among the highest-risk infrastructure projects an organisation can undertake. A failed IdP migration can lock users out of all applications. A failed PAM migration can block all administrative access. Successful migrations require careful planning, phased execution, robust rollback plans, and extensive testing.

Migration Types

Migration TypeComplexityRisk LevelTypical Duration
Directory migration (AD → AD)HighHigh6-18 months
IdP migration (Okta → Azure AD)HighVery High6-12 months
PAM migration (CyberArk → BeyondTrust)HighHigh6-12 months
On-prem → cloud IdPMedium-HighHigh3-9 months
IGA platform migrationMedium-HighMedium6-12 months
MFA provider migrationMediumMedium2-6 months
Protocol upgrade (Kerberos → SAML)Low-MediumLow-Medium1-4 months

Migration Strategies

Big Bang (Cutover)

All users and systems are migrated simultaneously in a planned cutover event.

AspectConsideration
When to useSmall organisation (< 500 users), simple application landscape, weekend maintenance window
DurationHours to days
ProsSimple planning, no coexistence complexity
ConsHighest risk, all-or-nothing, single point of failure
RollbackSimple — restore previous system from backup
User impactOutage during cutover window
TestingPre-cutover lab testing, limited user acceptance testing

Phased Migration

Users, applications, or systems are migrated in phases over weeks or months.

Phase ApproachDescriptionUse Case
Pilot → Group → AllStart with IT team, then early adopters, then all usersIdP migration, MFA migration
Application by applicationMigrate one application at a timeSSO/IdP migration
Geography by geographyMigrate one region/office at a timeDirectory migration
Business unit by business unitMigrate one division at a timeIGA platform migration
Capability by capabilityAuth-first, then provisioning, then PAMMulti-component migration

Coexistence Pattern

During phased migration, old and new systems operate simultaneously:

┌─────────────────────────────────────────────────────────────┐
│ COEXISTENCE PERIOD │
│ │
│ ┌──────────────────────┐ ┌──────────────────────────┐ │
│ │ OLD IdP / PAM │ │ NEW IdP / PAM │ │
│ ├──────────────────────┤ ├──────────────────────────┤ │
│ │ Legacy Apps │ │ Migrated Apps │ │
│ │ Legacy Users │ │ Onboarded Users │ │
│ │ (Running old version)│ │ (Authenticating via new)│ │
│ └──────────────────────┘ └──────────────────────────┘ │
│ │ │ │
│ └──────── Attribute Sync ─────┘ │
│ (Directory sync, credential sync) │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Attribute Synchronisation Services │ │
│ │ - Passwords hash sync (PHS for IdP migration) │ │
│ │ - Directory sync (AD Connect for directory migration) │ │
│ │ - Credential import (PAM vault import) │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘

IdP Migration: Step-by-Step

Phase 1: Assessment (4-8 Weeks)

ActivityDeliverableSuccess Criteria
Application inventoryComplete list of all apps, auth methods, protocol versions100% inventory coverage
User inventoryUser count, groups, roles, MFA methodsVerified against authoritative source
Integration auditAPIs, provisioning, SCIM connectorsDocumented integration points
Risk assessmentImpact analysis for each app and user groupRisk-rated migration priority
Target IdP evaluationCapability gap analysis between old and new IdPDocumented gaps and workarounds

Phase 2: Planning (4-8 Weeks)

ActivityDeliverable
Migration designDetailed migration architecture, coexistence pattern
Application migration planPriority ordering, dependencies, timing per application
User migration planPilot group, phased rollout, communication schedule
Test planUnit tests, integration tests, UAT, performance tests
Rollback planTriggers, procedures, communication for rollback
Communication planUser notifications, training, support desk preparation

Phase 3: Build & Test (4-8 Weeks)

ActivityDescription
Target IdP deploymentConfigure new IdP, integrate with directory
Application configurationConfigure SAML/OIDC apps in new IdP, test connectivity
Authentication flowsTest SP-initiated, IdP-initiated, SLO flows
Coexistence setupConfigure password hash sync, attribute sync, session bridging
Integration testingTest HRIS, ITSM, SIEM integrations with new IdP
User acceptance testingPilot group validates login, MFA, SSO across all apps

Phase 4: Migration Execution (8-16 Weeks)

Week 1-2: Pilot group (IT team, 10-20 users)
└── Validate all apps, MFA, provisioning
└── Fix issues found in pilot
Week 3-4: Early adopters (100-200 users)
└── Broader validation, performance testing
└── Support desk training on common issues
Week 5-10: Phased rollout (500-2000 users/week)
└── Communication 1 week before each wave
└── Support desk staffed for migration support
Week 11-12: Long tail (remaining users)
└── Manual follow-up for non-migrated users
└── Exception handling
Week 13-16: Cutover complete
└── Old IdP decommissioned (or maintained for legacy apps)

Phase 5: Post-Migration (Ongoing)

ActivityDurationDescription
Stabilisation2-4 weeksAddress post-migration issues, monitor performance
Legacy decommissioning4-8 weeksDecommission old IdP after confirming all traffic is migrated
Optimisation4-8 weeksConfigure advanced features (conditional access, analytics)
Lessons learned2 weeksDocument what worked and what didn’t

PAM Migration: Special Considerations

PAM Migration Challenges

ChallengeImpactMitigation
Credential portabilityPasswords stored in old vault cannot be exported in plaintextUse credential import API, staged credential rotation post-migration
Session recording continuityOld recordings must remain accessibleArchive old recordings, maintain search capability
Connector reconfigurationAll managed systems need new connectorsStage connector deployment, parallel connection during migration
Admin adoptionAdmins must learn new PAM interfaceTraining, phased rollout, power user pilot
Emergency access during migrationBreak-glass must work during transitionMaintain old emergency process until new one is validated

PAM Migration Approach

PhaseDurationActivities
1. Discovery and inventory4-6 weeksDocument all privileged accounts, systems, policies, and workflows
2. New PAM deployment4-8 weeksDeploy new PAM in parallel, configure vault, policies, connectors
3. Credential migration4-8 weeksMigrate credentials (API import or manual re-onboarding of critical systems)
4. Phased cutover8-16 weeksMigrate systems one by one or by business unit
5. Policy and workflow migration4-8 weeksRebuild approval workflows, JIT policies, certification campaigns
6. Decommission4-8 weeksMaintain old PAM in read-only mode, then decommission

Rollback Planning

Rollback Trigger Criteria

TriggerDescriptionAction
Critical application failureTop-10 business app non-functional after migrationPause migration, rollback app to old IdP
Widespread authentication failure> 5% of migrated users cannot authenticateRollback to old IdP for affected user group
Performance degradationAuth latency > 2x baseline for > 30 minutesScale up or rollback
Security incidentMigration introduces vulnerabilityImmediate rollback, incident investigation
Catastrophic failureComplete IdP/PAM outageExecute full rollback plan

Rollback Procedures

Rollback ScenarioProcedureRTORPO
Single app rollbackChange app auth config back to old IdP30 minutesZero (data loss not applicable)
User group rollbackRevert DNS/routing for group to old IdP1 hourZero
Full IdP rollbackFail over to old IdP infrastructure4 hours< 5 minutes (session data)
Full PAM rollbackActivate old PAM, redirect connectors4 hours< 1 hour (credentials rotated during migration)

Key Takeaways

  • IAM/PAM migrations are among the highest-risk infrastructure projects — a failed IdP migration can lock users out of all applications, and a failed PAM migration can block all administrative access
  • Four migration strategies exist: big bang (all-at-once, highest risk, for fewer than 500 users), phased (by group, app, geography, or business unit), coexistence (old and new systems operate simultaneously with attribute synchronisation), and hybrid (phased migration with coexistence period)
  • IdP migration follows five phases: assessment (4-8 weeks), planning (4-8 weeks), build and test (4-8 weeks), phased execution (8-16 weeks with pilot → early adopters → phased rollout → long tail), and post-migration stabilisation and optimisation
  • PAM migration presents unique challenges including credential portability (passwords cannot be exported in plaintext — use API import with staged rotation), session recording continuity (archive old recordings, maintain search), and connector reconfiguration for all managed systems
  • Coexistence requires attribute synchronisation between old and new IdPs — password hash sync (PHS) for seamless user authentication during transition, directory sync for attribute consistency, and credential import for PAM
  • Rollback planning must define trigger criteria (critical app failure, widespread auth failure, performance degradation, security incident, catastrophic failure) with specific rollback procedures, RTO targets, and RPO for each scenario
  • Application inventory (100% coverage of all apps, auth methods, and protocol versions) is the single most critical success factor for IdP migration — undocumented apps are the leading cause of migration failures