How to break up with your IdP: migrating to a new identity provider
authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.
The reason your identity provider (IdP) is so important is the same reason they can be so sticky.
Your IdP touches everything in the business: every user across your entire workforce and all your applications. Setting up access for the right people to the right applications takes time, so it’s natural, when considering moving to a new IdP, to fear an equal time commitment for the migration — not just for configuration, but for coordination and communication across the whole company.
Migrations typically involve a large-scale “Day 0” export of rules and accounts from one provider to another. You flip the switch and hope that everything works after manually setting it all up.
As if switching one IdP isn’t hard enough, it’s not uncommon for companies to have multiple solutions stitched together. Individual teams may have come up with their own solutions, or they could have inherited systems from acquisitions or organizational changes. This leads to scenarios where large organizations might even have three or four different IdPs, directories, or other solutions patched together. Each of these might be on its own contract renewal cycle, making it difficult to coordinate a switchover without incurring a cost.
On the one hand, migrating IdPs is intimidating and risky. On the other, you face the administrative cost of maintaining a host of separate identity solutions, plus the security risk of not having a single place for visibility or administration of access.
It doesn’t have to be so hard
Let’s look at a real-life situation of a common case for migrating identity providers: we have helped multiple companies out who were using Okta, faced with a contract renewal deadline, but were frustrated with missing features and functionality. They were spending more time building and maintaining what they needed on top of Okta, instead of being able to extend it and customize it. In choosing to switch to authentik, these companies have managed to migrate thousands of employees over from Okta often in just a few weeks. How is this possible?
Instead of the “big bang” or “Day 0” approach to migration (which can take months to prepare for and risks disrupting work for employees), dynamic migration makes the process much smoother and more fault tolerant.
How does dynamic migration work?
When migrating your IdP solution to authentik, you can use authentik Sources to define and configure an external source of user accounts, which authentik can access and use as the source of truth for user credentials. Further, our Source Stage feature can be used to pass an OAuth or SAML source dynamically into a flow in authentik. For instance, this could be another IdP, or any other user directory or application like Google Workspace, GitLab, etc.
This allows you, for instance, to pull another IdP's data into authentik on user registration or login. You can make sure that everything appears as expected and works properly before switching over to authentik as your primary source of truth. Then you would switch off your old IdP only when the data is fully duplicated, you’re confident that everything is working, and authentik is serving as the primary IdP.
You can use source property mappings to map user information into authentik, storing the user attributes within authentik and importing selected parts of that data into authentik user and group objects. This can further help if you have multiple sources to consolidate - for instance, multiple IdPs that each store and handle an overlapping set of user data slightly differently. This can all be automated, funneling data in without having to take error-prone manual actions or deal with unwiedly bulk data exports.
Often our customers will want to add new layers of security not previously available with their legacy providers. This can also be done seamlessly, for instance by creating a custom flow that has users enroll specific MFA devices when logging into their existing, newly migrated account.
Stage first, roll out gradually
There are two ways migrating to authentik can happen safely and gradually, instead of in a risky, Day 0 operation:
- You can try authentik out first in a staging environment, and roll it out for select teams (such as your IT and security team members) to trial first, before enrolling everyone. Similarly, you can set up groups to migrate using existing flows, instead of treating it as a brand new rollout each time.
- You can also pull in your information dynamically. As we talked about above, using the Source Stage functionality means you can spin up authentik alongside your existing sources of truth to dynamically map in data, instead of manually migrating to a new, entirely separate IdP.
The effect of dynamic migration is that the experience is as seamless as possible for the end user. They will simply go to a different place to log in (or you can even redirect your existing URL). It might look slightly different, but the actual login process can be replicated without them having to re-enroll manually.
The migration experience for the admin, likewise, also ideally avoids recreating groups, roles, and nested permissions; you can simply sync those with your other sources automatically.
Benefits of switching + consolidating
For our customers, in addition to avoiding a costly renewal of their legacy provider and gaining the flexibility they were looking for in an IdP, they now also work with a responsive team with a more transparent way of working. There are a host of other benefits to switching and especially consolidating IdPs if you’re currently using multiple solutions:
Lower cost and complexity
Renewal costs are one thing; the engineering hours spent on writing code to duct tape multiple IdPs together is another. With a single system to maintain, team members are freed to be more productive on other work. You also avoid the productivity cost of every end user context switching between different login systems to access different applications.
Improved security and reliability
That duct-tape code to bring multiple IdPs together isn’t just time consuming to write; it also creates risk. Consolidating your identity solution into a single platform reduces your attack surface and gives your security team or admin greater visibility into connection requests and activity. Using a self-hosted solution also creates stability, compared to the many lost working hours if your SaaS IdP suffers an outage.
Using a solution based on open source is another way to ensure a level of continuity that’s impossible with closed-source SaaS providers. Even if Authentik Security (the company) were to disappear, you could continue to use authentik (the open source project) for as long as you need to.
More flexibility to customize the authentication experience
Using Expression Policies to define specific implementations of flows and stages is a key part of customization in authentik, and you can even inject your own code if you need to. This lets you get really granular, like dynamically requiring only users with specific custom attributes to validate with a second authentication factor, or combining different factors to add layers of security.
Additionally, authentik, being vendor agnostic, allows you to communicate via API with whatever services you want. That means you’re in control of accessing your own data or accessing other providers to use their data.
Not being locked to a vendor is core to owning your IdP, streamlining costs, and reducing complexity. While self-hosting and streamlined pricing are a big part of this, the ability to consolidate from multiple tools to one also provides cost savings.
If you’re feeling stuck with your legacy IdP and looking for a way out, we can help! Get in touch so we can work with you on a migration plan. Authentik’s architecture is inherently scalable, working just as well for a homelab setup as it does scaled up to hundreds of thousands of users from a single instance — so the solution can grow with you. You can reach us on GitHub, Discord, or via email on [email protected].
Rebecca Dodd contributed to this post.