SAP IDM & MIM End-of-Life: How to Plan Your Identity Migration - Evolveum | Open Source Identity Management & Governance

For enterprises built on SAP Identity Management (SAP IDM) and Microsoft Identity Manager (MIM), the next few years will bring unavoidable change. Two of the last widely adopted on-prem platforms in enterprise environments are heading toward end-of-life.

SAP Identity Management mainstream maintenance ends on December 31, 2027, with extended maintenance available until 2030. This date might seem far off, but anyone who’s been through a major identity system migration knows how quickly time flies when you’re dealing with complex integrations, data migrations, and user training.

Microsoft Identity Manager support was extended to January 9, 2029. However, Microsoft stopped actively developing MIM in 2021, focusing instead on Entra ID (formerly Azure AD). The message is clear: their priority is no longer on-premise identity solutions.

For many organizations, this marks the end of an era – and the beginning of a significant challenge. For those navigating strict data sovereignty requirements or committed to maintaining critical on-prem capabilities, the road ahead may be even more complex. However, there is light at the end of the tunnel. After years of stagnant feature development, most current SAP IDM and MIM environments are outdated, lacking modern identity governance capabilities. Now is the perfect time to rethink your identity infrastructure and modernize your identity security posture.

In the following sections, we will explore practical strategies for legacy identity system migration and outline key options available to ensure a smooth, secure, and future-proof transition.

When the Obvious Choice Isn’t Always the Right One

When legacy systems reach end-of-life, the natural path often leads to vendor-recommended successors. SAP and Microsoft have developed clear migration guidance toward their cloud-based alternatives: SAP Cloud Identity Services and SAP Cloud Identity Access Governance for identity and access management into SAP products and Microsoft Entra ID.

These solutions offer compelling advantages – modern cloud architecture, reduced infrastructure overhead, and tight integration within existing vendor ecosystems. For organizations heavily invested in Microsoft or SAP technologies, this path provides obvious benefits.

However, neither Entra ID nor SAP Cloud Identity Services represents a direct replacement for their on-premise predecessors. They differ in architecture, features, and how they operate, which means they might not fit every organization’s needs.

Before jumping on the bandwagon, ask yourself:

Is Microsoft or SAP at the core of your tech stack, and are you planning to stay within a single-vendor architecture? Or are you operating in a more complex, multi-vendor ecosystem?
Will your architecture remain on-premise, migrate to the cloud, or maintain hybrid operations?
How complex are your identity governance and administration needs beyond basic user lifecycle management?
What are your future scalability, security, and compliance needs?

Hybrid Achitecture Adds Complexity

Most large organizations run hybrid environments with a mix of on-premise and cloud systems. Within these environments, managing identity and access consistently can be challenging. Microsoft talks about Entra ID as a hybrid solution, and in many ways it is. But the reality of making it work smoothly across all your systems can be more challenging than initial assessments suggest.

Managing identities in a hybrid IT architecture is not always straightforward. Organizations commonly run into:

Identity synchronization challenges across forests and domains
Custom attributes that don’t cleanly map to cloud directories that break in modern policy frameworks
Firewalls and proxies that impede cloud-to-ground communication in apps not designed for modern protocols

Hybrid identity architecture can add complexity. For many organizations, it offers the necessary balance to maintain compliance and customization without compromising long-term transition potential. The good news is that with identity platforms purpose-built to handle hybrid environments, these complexities can be effectively managed.

Cloud-first Isn’t for Everyone

Amid the push toward cloud migrations, it’s important not to overlook that many organizations choose to keep their operations on-premises. In such cases, adopting a cloud-native identity platform like Entra ID may not make much sense.

While some vendors are scaling back support for on-prem identity solutions, that doesn’t mean on-prem architecture is obsolete. In fact, many enterprises, including large global ones, continue to rely on it, often due to cost, strict regulatory compliance, and the need for full control over infrastructure and operations. If your organization falls into this category, that’s a valid and strategic choice.

That doesn’t mean your options are limited, though – there are still modern platforms that not only work in the cloud, but also fully support on-prem deployments and are committed to continuing that support.

Integration and Customization Challenges

This is where many organizations get surprised. If you’ve spent years building custom workflows, approval processes, and business rules in SAP IDM or MIM, you might find that Entra ID doesn’t give you the same level of flexibility.

Microsoft has built a solid platform, but it’s designed to work optimally within a Microsoft environment. If your business processes don’t align with that approach, you’ll need to either change your processes or find workarounds that add complexity and cost.

The True Cost of Migration

Per-user pricing models appear straightforward during initial evaluations, especially for smaller organizations. But enterprise-scale implementations frequently involve premium features, additional connectors for non-vendor systems, custom development requirements, licensing fees, and subscription costs that significantly impact long-term budgets.

The CISO’s Strategic Migration Playbook

Successfully migrating from legacy platforms requires a comprehensive approach that balances strategic planning with practical, risk-aware execution.

Organizations should begin this process well in advance of sunset dates, as identity system migrations typically require 12-36 months for full implementation in enterprise environments. Simply defining requirements and selecting the right solutions can take several months. Those who delay risk security vulnerabilities, operational disruptions, and compliance issues. That said, with the right tools and approach, you can have a steady stream of initial results from the beginning of the migration process.

Here’s a high-level roadmap to help you navigate this transition successfully:

1. Assess Your Current Identity Landscape

Start with a thorough inventory of your existing identity infrastructure. Document not just your systems and integrations, but the actual business processes they support. Often, organizations discover that their identity management has evolved far beyond its original design, with workarounds and customizations that aren’t immediately obvious.

At this stage:

Review your systems, target directories, and applications, making sure to compare data for inconsistencies
Map how your identity systems connect with other applications
Understand existing identity lifecycle triggers, provisioning flows, and access policies
Take an inventory of non-human identities, such as service accounts, API credentials, and other machine identities

Also, map your compliance requirements early in the process. Different solutions handle regulatory requirements differently, and understanding these constraints upfront prevents costly discoveries later in the migration.

💡 Best Practice: Take this opportunity to “clean house”. Review your current licenses, identify which tools and capabilities are truly necessary, and pinpoint under-utilized applications. You might find significant savings by removing unused licenses and consolidating your tools.

2. Define Your Requirements

Engage stakeholders across IT, security, and business units to understand their actual needs and requirements. Focus on business outcomes rather than technical feature translations. This approach often reveals opportunities to streamline processes during the migration.

Consider your organization’s five to ten-year trajectory:

How complex do you anticipate your identity needs to be?
How will your identity governance requirements grow?
Are there any emerging regulations or compliance requirements that will have an impact on your identity processes?
How will your tech stack grow and what integration capabilities will you need?
Are you planning to expand internationally?
What about future mergers or acquisitions?

These factors should guide you in selecting the right solution to support your needs for years to come.

💡 Best Practice: Keep the initial scope focused and achievable. Successful teams often start with a core domain, like workforce identity lifecycle management, and build outward in manageable iterations. This allows for early value delivery and room for lessons learned to inform future phases.

3. Evaluate Solutions Through a Security Lens

Evaluation processes should extend well beyond feature comparisons and vendor demos. This includes assessing integration capabilities with existing systems, evaluating performance under realistic load conditions, and understanding true customization flexibility, while prioritizing security controls.

Authentication and credential security: Assess credential storage encryption, supported authentication methods, and multi-factor authentication enforcement capabilities. Examine password policies and session management.
Audit and compliance capabilities: Verify detailed logging of access decisions, configuration changes, and administrative actions. Confirm log retention periods and export capabilities. Ensure compliance reporting supports your regulatory requirements.
Vulnerability management: Evaluate security patch frequency, the vendor security track record, and testing procedures, including penetration testing and code reviews. Request vulnerability disclosure timelines and remediation processes.
Data protection and privacy: Determine data residency locations, processing controls, and personally identifiable information handling procedures. Verify data export, deletion capabilities, and privacy regulation compliance mechanisms.
Technical roadmap and sustainability: Understand the vendor’s product development plans and strategic vision. Assess whether the solution is actively maintained and evolving to keep pace with emerging security threats, regulatory changes, and technological advancements.

💡 Best Practice: Favor platforms that allow non-disruptive analysis and prototyping. This ensures you can validate the technical fit, policy alignment, and risk exposure before you commit to full deployment.

4. Build a Risk-Aware Migration Plan

Avoid “big bang” migrations. Successful migrations follow phased approaches that balance early insight with controlled execution. While traditional wisdom often suggests starting with non-critical systems, in identity management, it’s often more effective to connect to foundational, business-critical systems early in a non-invasive, simulation-driven way. This approach provides crucial visibility into your most complex and foundational identity flows without introducing immediate risk. Each migration phase should allow time for:

Integration challenges
Refining processes
Validating assumptions before migrating business-critical systems

Pilot phases should focus on complex integration scenarios rather than simple ones, revealing potential issues early in the process.

Don’t forget about resource planning either – these migrations demand significant technical resources and expertise. Resource allocation should account for senior technical staff being significantly engaged with migration activities for extended periods. Assess internal capabilities honestly and plan for external support where needed, including technical implementation support and change management.

Your migration plan should include comprehensive rollback procedures for each phase, strategies for maintaining security during parallel system operations, and clear incident response procedures for migration-related security events.

💡 Best Practice: Connect to core systems like AD early in the process using non-disruptive simulations. This gives you visibility into your identity baseline, reveals gaps or legacy issues, and sets the stage for safer phased implementation, allowing you to “see before you act.”

5. Invest in Change Management and User Adoption

Technical implementation represents only part of your challenge. Successful migrations require comprehensive change management strategies beginning with key stakeholder involvement from IT, security, and business units during solution selection to ensure buy-in and realistic expectation setting.

Training programs should reflect actual user workflows rather than theoretical processes. Organizations should plan for different user groups with varying technical skills and interaction patterns. The communication roll out should address concerns proactively, provide clear feedback and support channels, and maintain transparency about timelines and impact expectations.

💡 Best Practice: Pair each technical delivery phase with targeted stakeholder communication, user training material development, and clear success measurement. Early small wins, achieved through iterative and low-risk deployments, help establish credibility and build momentum for broader adoption.

Navigating the Identity Management Market Landscape

The identity and access management (IAM) market has matured considerably in recent years with numerous established and emerging platforms worth serious consideration. While certain recommended routes offer integration advantages, they’re not the only options:

Full-featured identity governance platforms: Vendors focused specifically on identity governance and administration often provide deeper governance capabilities and more flexible customization options than general identity management and lightweight IGA solutions. While light IGAs can be handy, often offering out-of-the-box functionality – they frequently lack the robust features required for comprehensive, long-term governance and scalability.
Hybrid IGA platforms: Designed to support on-prem, hybrid, and cloud deployment needs. For organizations working in a hybrid operational model or those planning a gradual migration to the cloud, these platforms can be an ideal solution.
Open source software: Modern open-source identity platforms have gained significant enterprise adoption. These solutions now offer enterprise-grade features, professional support options, and active communities that contribute to their ongoing improvement, such as testing, answering community questions, and even developing custom connectors, providing maximum flexibility and customization potential.

Evaluate platforms based on your specific architecture and business needs – consider factors beyond brand recognition. It is worth examining community threads to understand real-world scenarios and engaging with companies with similar challenges. Also, ask for proof-of-concepts where possible.

When it comes to cost, think about the total cost of ownership, including licensing fees, implementation costs, ongoing maintenance, training requirements, and potential needs for external expertise.

Discover how midPoint’s open source IGA platform aligns with your unique needs and environment.

Explore midPoint.

The Strategic Path Forward That Shapes the Next Decade

Thousands of organizations affected by the end-of-life of the SAP IDM and MIM now face pivotal decisions about their identity management future. While vendor-recommended migration paths offer predictable routes, they may not represent optimal solutions for every environment. The key lies in approaching these decisions strategically rather than reactively.

Take time to understand options fully – evaluate solutions based on specific requirements rather than general market positioning, and consider long-term implications. Today’s identity management market offers mature alternatives across different deployment models, architectural approaches, and business models.

Starting evaluation processes early and considering the full spectrum of available solutions will ensure the chosen platforms support long-term organizational objectives. Remember, the decisions made today will impact your identity security operations for the next decade or two.

About Evolveum:
Evolveum is the organization behind midPoint, the leading open source IGA platform recognized as a complete IGA by both Gartner and KuppingerCole. MidPoint bridges the gap between IT and business, making it an ideal choice for organizations seeking digital transformation to enhance security and efficiency.

Name	Provider	Purpose	Expiry	More information
PHPSESSID	Evolveum s.r.o.	Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.	When you close your browser
moove_gdpr_popup	Evolveum s.r.o.	When this Cookie is enabled, these Cookies are used to save your Cookie Setting Preferences. You can enable or disable your Cookie Settings on our website at anytime via Cookie Settings.	1 year	Read more
wordpress_test_cookie	Evolveum s.r.o.	Tests that the browser accepts cookies.	Session	Read more
wp-settings-[user_id]	Evolveum s.r.o.	Used to preserve user’s wp-admin settings	1 year	Read more
wordpress_[hash]	Evolveum s.r.o.	On login, WordPress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the Administration Screen area, /wp-admin/	Session	Read more
wordpress_logged_in_[hash]	Evolveum s.r.o.	Remember User session	Session	Read more
wordpress_sec_[hash]	Evolveum s.r.o.	This cookie is used to store your authentication details. Its use is limited to the admin console area, /wp-admin/	Session	Read more
wp-postpass_[hash]	Evolveum s.r.o.	This cookie is used to grant access to password protected areas of the site.	10 days
wp-settings-time-[user_id]	Evolveum s.r.o.	The number on the end is your individual user ID from the user’s database table. This is used to customize your view of admin interface, and possibly also the main site interface.	1 year	Read more

Name	Provider	Purpose	Expiry	More information
woocommerce_cart_hash	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
woocommerce_items_in_cart	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
wp_woocommerce_session_[hash]	Evolveum s.r.o.	Contains a unique code for each customer so that it knows where to find the cart data in the database for each customer.	2 days	Read more
tk_ai	Evolveum s.r.o.	Stores a randomly-generated anonymous ID. This is only used within the dashboard (/wp-admin) area and is used for usage tracking, if enabled.	Session	Read more
comment_author_{HASH} comment_author_email_{HASH} comment_author_url_{HASH}	Evolveum s.r.o.	When visitors comment on your blog, they too get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment.	These are set to expire a little under one year from the time they’re set.	Read more