Introduction
Changing identity providers is one of the most anxiety-inducing projects in IT. When authentication fails, nobody can work. But with proper planning and the right tools, you can migrate between IdPs without any downtime or user disruption.
This guide shares battle-tested strategies from hundreds of successful migrations.
Why Organizations Migrate IdPs
Common Migration Triggers
- Cost reduction - Moving to a more affordable provider
- Consolidation - Merging IdPs after M&A
- Feature requirements - New IdP offers needed capabilities
- Platform strategy - Aligning with cloud provider (Azure AD with Microsoft 365)
- Support issues - Better support/relationship with new provider
- Compliance - New IdP has required certifications
The Stakes
A botched IdP migration can result in:
- Complete authentication outage
- Users locked out of all applications
- Emergency rollback scrambles
- Lost productivity and revenue
- Damaged IT credibility
This guide helps you avoid all of that.
Pre-Migration Planning
Phase 1: Discovery (Weeks 1-2)
Inventory your current state:
- List every app using your current IdP
- Note protocol (SAML, OIDC) for each
- Identify apps with custom integrations
- Total user count
- User sources (HR system, manual, directory sync)
- Special accounts (service accounts, break-glass)
- MFA requirements
- Conditional access policies
- Group-based access rules
- Session timeout settings
- HR systems (provisioning)
- SIEM/security tools
- Helpdesk/ticketing
- Custom applications
Document everything. You'll need this inventory throughout the migration.
Phase 2: New IdP Setup (Weeks 3-4)
Set up your new IdP to mirror your current configuration:
- Connect to same user source (AD, HR system)
- Or plan user import strategy
- MFA requirements
- Conditional access rules
- Session management
- Ensure same attributes are available
- Test attribute values match
Phase 3: Parallel Configuration (Weeks 5-6)
Here's where SecurePie makes things easy. Configure both IdPs simultaneously.
SecurePie's Dual-IdP Support:
Migration Strategies
Strategy 1: Big Bang (Not Recommended)
How it works: Switch all users at once.
Pros:
- Simple conceptually
- Fast (one cutover)
Cons:
- High risk
- No fallback if issues arise
- All problems happen at once
When to use: Only for very small organizations (<50 users) with simple setups.
Strategy 2: Parallel Run (Recommended)
How it works: Run both IdPs simultaneously during transition.
Phases:
- All traffic goes to old IdP
- New IdP configured and ready
- Pilot users can test new IdP
- Move users in batches
- Monitor for issues
- Rollback capability maintained
- Most users on new IdP
- Old IdP available for stragglers
- Continue monitoring
- Disable old IdP routing
- Decommission old IdP
This is the approach we recommend for most organizations.
Strategy 3: Application-by-Application
How it works: Migrate apps one at a time to new IdP.
Pros:
- Lowest risk per change
- Easy to troubleshoot
Cons:
- Users have accounts in both IdPs
- Longer timeline
- More complex user experience during migration
When to use: When you have many applications with complex configurations.
Step-by-Step Parallel Migration
Week 1: Prepare
Week 2: Pilot
`` If user in "SSO Pilot" group → New IdP Else → Old IdP - Pick diverse departments - Include some non-technical users - Authentication success rates - Support ticket volume - User feedback - Fix issues discovered - Update documentation - Refine rollback procedures - Users reporting issues - Any problematic applications - Service accounts being migrated - Authentication patterns - Application-specific issues - Performance metrics Old IdP sends
`
firstNameWeek 3-4: Expand
Week 5: Majority Migration
Week 6: Completion
Handling Common Challenges
Challenge: Different Attribute Schemas
, new IdP sends givenName.
Solution: Use SecurePie's attribute transformation:
`json
{
"attributeMapping": {
"firstName": "givenName",
"lastName": "sn",
"email": "mail"
}
}
`
Challenge: Group Name Differences
Old IdP has "Shopify-Admins", new IdP has "APP-Shopify-Admins".
Solution: Map groups in SecurePie:
`json
{
"groupMapping": {
"APP-Shopify-Admins": "admin",
"APP-Shopify-Users": "user"
}
}
``
Challenge: User Identifier Changes
Old IdP used employee ID, new IdP uses email as NameID.
Solution:
Challenge: Service Account Migration
Service accounts often have special configurations.
Solution:
Challenge: Compliance/Audit Requirements
Auditors need to see continuous access controls.
Solution:
Rollback Procedures
Always have a rollback plan. With SecurePie:
Immediate rollback (< 5 minutes):
That's it. Users will authenticate against old IdP on their next login.
For application-specific issues:
Post-Migration Checklist
After successful migration:
- [ ] Disable old IdP in SecurePie
- [ ] Remove old IdP applications (if self-hosted)
- [ ] Cancel old IdP subscription
- [ ] Update documentation
- [ ] Archive migration records
- [ ] Conduct lessons learned session
- [ ] Update disaster recovery procedures
Conclusion
IdP migration doesn't have to be scary. With proper planning, parallel running, and gradual cutover, you can migrate thousands of users without a single authentication failure.
The key is having the right tools. SecurePie's multi-IdP support and intelligent routing make parallel migrations straightforward, giving you the safety net you need for a stress-free migration.
Planning an IdP migration? Talk to our team—we've helped hundreds of organizations make the switch smoothly.