Sun Identity Manager a.k.a. Oracle Waveset is a software product at the end of its lifecycle. Yet many organizations still operate Sun IDM solution because they haven’t found any reasonable migration path. But now there is a migration path that leads to the most comprehensive open source IDM solution: Evolveum midPoint. In the previous two posts I have described the obstacles and motivation of Sun IDM migration. It is quite clear that major migration obstacles are the cost and the risk. However, we have successfully addressed both of these obstacles. The cost is addressed by the unprecedented deployment efficiency of Evolveum midPoint. Yet it is the risk that is usually the worst issue for any migration of any software system. But due to the flexibility of Evolveum midPoint we have managed to keep migration risk at a very acceptable level. And this post describes the details of our solution.
The key aspect of our solution is the ability of midPoint to co-exist with a running Sun IDM instance. And I mean no one-night-stand but really a long-term relationship. Sun IDM and midPoint can work together for months or even years – or for any time necessary to iteratively migrate Sun IDM to midPoint. Connector by connector, role by role, feature by feature. All in small steps that can be rolled-back if needed.
This approach is made possible by two things: The first part is midPoint’s unique capability to keep its data synchronized with other systems. This is what midPoint was designed to do from the very beginning. The second part of the solution is quite new: Sun IDM connector. Now midPoint has an ability to make an on-line connection into a running Sun IDM instance and to continually synchronize all the necessary data. E.g. if a new user is created in Sun IDM then a corresponding user automatically appears in midPoint and it can be processed by midPoint logic. Later in the migration process the flow can be reversed: users created in midPoint can be automatically synchronized to Sun IDM. The integration works in both directions.
From the architectural point of view the solution is very elegant. It starts like this:
MidPoint starts as a pure “slave”: it will take all the information from the Sun IDM. MidPoint synchronization capabilities are used to synchronize users, roles and organizational structure. And midPoint will keep them synchronized during the whole migration period. After this initial step the real migration starts. The resources are switched to midPoint one-by-one:
At the right time in the process midPoint and Sun IDM switch places. MidPoint becomes the master, Sun IDM is a slave. MidPoint will feed Sun IDM with all the necessary data. This is usually also the point when users stop working with Sun IDM and switch to midPoint user interface.
At this point the migration is almost complete. All the essential functionality is already in midPoint and the situation is stable. The last migration steps move all the remaining connectors to midPoint and Sun IDM can be decommissioned.
This process can take few days or few months – it can adapt to the natural rhythm of IT operation routines. That means minimal disruption of the running systems and risk reduced to the minimum. The result is a brand new IDM solution based on fully-supported state-of-the-art IDM product which is much better than Sun IDM was. Additional benefit of midPoint is that it has a clear roadmap leading to the Identity Governance. In fact midPoint is one of very few products that offer a gradual development of the IDM solution into an Identity Governance and Administration (IGA) solution. Therefore when the Sun IDM migration process is over you will gain much more than just a replacement for an obsolete technology. You will gain a clear path towards the future of Identity Management.