Many companies use SAP Identity Management (IdM) to manage user access in heterogeneous system landscapes securely and efficiently. But not for much longer, as maintenance for SAP IdM ends in 2027. Since there will be no successor product for SAP IdM 8, companies are faced with the task of reorganizing themselves with regard to identity management.
Benefit from our tool-supported approach when replacing SAP IdM
While it has been unclear in recent years what the future holds for identity management at SAP, the strategic direction is now clear: IdM outside the SAP landscape is no longer the focus, there are enough alternatives on the market. SAP emphasizes that SAP systems can still be operated via the internal tools SAP Identity Access Governance (IAG), SAP Identity Provisioning Service (IPS), SAP Identity Authentication Service (IAS) and SAP Identity Directory Service (IDS). However, these applications, grouped under the name SAP Cloud Identity, are not a replacement for the previous Identity & Access Management and cannot act as a central identity management system.
Put simply, SAP provides an interface or API framework to ensure Identity & Access Management in and out of the SAP world. The tool for this is no longer available from SAP itself; instead, SAP refers to other established IAM providers on the market.
What is new since the DSAG Technology Days 2024 is that SAP has entered into a strategic collaboration with Microsoft. With Microsoft Entra and SAP Cloud Identity, it should be strategically possible to replace an SAP IdM system, according to the current direction. This is good news for SAP IdM customers, as they are already using Microsoft. However, there will also be customers who are under great pressure to migrate due to a lack of time. The management of every SAP IdM customer in particular will want to take a closer look at the Microsoft option, as this is a significant investment. With our Migration Audit for SAP IdM, we help to answer the open questions.
Ensuring continuous operation
Although there is still some time until 2027, companies should set the course early on and systematically tackle the tasks arising from the switch from SAP IdM to another identity management solution. The most important goal here is to ensure continuous operation within the company and not to jeopardize business processes. In addition, ways must be found to protect the investments made in SAP IdM and possibly transfer them to the new identity management system – for example, workflows or individually designed UI5 interfaces. Another task is to find the best economic time to leave SAP IdM behind and move towards a new identity management system.
Replacing SAP IdM offers many opportunities
The end of SAP IdM maintenance inevitably causes certain efforts. At the same time, however, it also brings opportunities that companies can use to their advantage. Switching from SAP Identity Management to an alternative IdM solution is a good time to evaluate the technical requirements, optimize your own IAM organization, create a clean database and get started in the new system without any legacy issues. This includes, among other things, a functional purification of the system, combined with the abandonment of developments that are no longer needed, as well as rethinking and optimizing the system and processes. Companies should ask themselves which operating model will be the right one for them in the next five to ten years: Will they continue with a hybrid approach or should it become a software-as-a-service (SaaS) solution? Where is the topic of Identity & Access Management located: in operations or as a component of cyber security? New software always has the potential to increase efficiency and productivity and to take the organization to a new level.
Preparing the SAP IdM migration in a targeted manner
In order to prepare the migration of the SAP IdM system in the best possible way, it is advisable to carry out a thorough inventory in four steps. IBsolution has developed the Migration Audit for SAP IdM for this purpose. From a time perspective, at least six months should be planned for this preparation phase.
Step #1: Assessment
The first step is to carefully determine the impact of the end of SAP IdM maintenance on the business processes. The question of whether security standards can continue to be met in the future is also relevant. The realization of compliance requirements and the assessment of security risks are also important components of this phase.
Step #2: Analysis
The analysis phase involves comparing the strengths and weaknesses of the SAP IdM system. The future direction of the organization and the system landscape must also be clarified. This also includes evaluating the processes in order to obtain a complete picture of the current status.
Step #3: Planning
The next step involves planning the migration to the new identity management system. The time and cost frame as well as the resource requirements need to be clarified. It is also necessary to determine the training needs of employees with regard to the new tool.
Depending on the size of the SAP IdM system, it may make sense to avoid a big bang go-live and divide the system into defined segments that are taken live one after the other. In this case, the old and new systems run in parallel. To ensure a high level of usability, it is worth checking whether it is possible to continue using the previous Web Dynpro or UI5 interfaces.
Step #4: Tool selection
The decision for the new IdM tool should be the final step in the migration preparation. As part of a comprehensive market analysis, the providers and their software solutions are compared based on factors such as license costs, deployment strategy, functionalities and roadmap. Ideally, demo scenarios can be created and hand-on sessions carried out to get a feel for how the tools can be used. Companies should also carry out performance tests in good time to avoid a rude awakening later on and conduct reference talks with other companies to benefit from their experience.
From preparation to migration
Once the preparations have been completed and the company has decided on a successor for SAP IdM, the actual migration can begin. A best-practice approach with different phases, which are run through one after the other, has proven its worth here.
Pilot phase
Once budgeting has been completed, the pilot phase begins, during which it is important to focus on basic functions and only consider a limited user group. Other aspects of the pilot phase are the implementation of initial data migrations and an early look at performance.
Organizational change management
It is important to get the organization on board and enthusiastic about the new IdM system with regular communication and appropriate training. With Organizational Change Management (OCM), all stakeholders involved can be brought on board at an early stage. The focus remains on a small scope with the defined basic systems and a limited user group.
Customization & integration
This phase is already concerned with the concrete implementation of specific requirements. The data migration is expanded and additional systems are integrated.
Test phase
In the test phase, the new IdM system is thoroughly checked. The typical tests are on the agenda: developer tests, integration tests, performance tests and user acceptance tests (UAT).
Parallel operation
In parallel operation, the old and new software are operated simultaneously. The individual functions are split up and gradually taken over. Support for both system lines also starts with parallel operation.
Transition in phases
The transfer of additional functionalities and the connection of further systems to the new identity management system now takes place gradually in several waves until the migration is finally complete. For systems of average size, the migration can be expected to take around 18 months.
Which IdM solution is suitable as a successor?
It is not easy to decide on a tool as the successor to SAP Identity Management. There are currently around 130 corresponding software products available. Differentiating between the individual solutions and identifying the ideal tool is proving increasingly difficult, as they are becoming more and more similar in terms of functionality. Five major providers in particular are established on the market as sensible successors to SAP IdM: Microsoft Entra (SAP recommendation), One Identity, Omada, SailPoint and Microfocus.
In order to make the best possible choice, companies can be guided by the following key questions:
-
Is it a cloud solution or an on-premise tool?
-
Which functionalities are available out-of-the-box and which need to be developed in-house?
-
Are there customizing options or do I have to use a predefined standard?
-
Do I need a pure IAM solution that provides connectors to other functional systems or a platform solution that covers all disciplines?
-
Is the solution SAP-certified? Can it be used to map hybrid system landscapes?
-
Can updates be carried out without extensive configurations?
-
What is the usability of the product like? Is it possible to adopt the interfaces used so far?
-
Is the provider established on the market and does the product have a valid roadmap?
Conclusion: Start the SAP IdM replacement project in good time
As the end of maintenance approaches, every company that uses SAP Identity Management will inevitably have to deal with the replacement of SAP IdM. Ideally, the migration should be completed six months before maintenance for SAP IdM is discontinued on December 31, 2027. Although it is possible to agree to a one-time charge for extended maintenance until 2030, this option is merely a contingency plan for many companies.
At least 36 months should be scheduled for the preparation and actual migration. Companies should therefore use the remaining time to carefully prepare and implement the switch to an alternative IdM product. IBsolution is available as an experienced and competent partner for the design and implementation of the SAP IdM replacement – regardless of whether companies opt for a migration or a new greenfield implementation.