SAP’s Identity Management will no longer be maintained from January 2028. If you are still using it, you should start planning a migration now.
The end of SAP Identity Management, what now?
SAP Identity Management (IdM) is SAP’s solution for managing user’s access rights. This tool will no longer be maintained from January 2028, and customers using it should start defining a well-structured plan to migrate to another IAM solution smoothly.
What is happening?
SAP has recently announced that its solution for managing users’ access rights, SAP Identity Management (IdM), will no longer be maintained from 1 January 2028, although offering to extend support until 2030 as a one-time contract.
If your company’s IT admins are using IdM to provide and manage access to your applications, you should consider acting promptly rather than delaying. Budgeting, finding resources, choosing a new solution and defining an approach to perform the migration, are delicate processes that require time, knowledge and experience to be properly handled.
How does this impact your company?
Even though there are almost four years before the official end of maintenance, it is crucial to define an action plan and be prepared. From our experience, Identity and Access Management (IAM) replacement projects take 24-36 months to complete, or at least to get to a go-live stage, and will affect your entire organization. IAM solutions are well interconnected to the applications and processes used by your company, so an in-depth study and planning of the integrations is essential to avoid disrupting operations during and after migrating.
Due to its critical nature, it's important to get the IAM migration right from the start, carefully considering all relevant aspects and stakeholder requirements, and analyzing the options in the IAM market based on current and strategic needs.
Identities are the primary means of accessing resources and, in today's distributed world where the distinction between internal and external networks is blurring, they represent some of the most valuable assets of your company. Relying on an old and unpatched solution to secure such critical items would likely increase the risk of security incidents in the future, so it is highly recommended that you take action sooner rather than later.
The SAP IdM replacement will be an opportunity for your company to understand its Identity and Access Management needs and to align them to the identity-centric security approach that is currently required.
To start such a project, the business and application requirements must be clarified by the stakeholders of each function. This way it would be possible not only to select the tool that most closely meets those needs, but also to perform a general cleanup of the system, determining which identities are needed (e.g. there might be active accounts associated to people who left the company years prior), or which privileges should be granted to each user. Such a cleanup would probably bring financial benefits for your company too, allowing to have a clear view of the number of accounts, and therefore licenses, needed.
On top of that, migrating to a new IAM solution could open the door to new opportunities, such as native connectivity to new applications (e.g. cloud applications), new functionalities (e.g. out-of-the-box multifactor authentication, access procedures based on location) and strict management of privileged accounts (e.g. administrator accounts).
What comes next?
Given the complexity of IAM migration projects described above, your company should define a well-structured plan in which:
- the right stakeholders are defined and involved, which makes it easier to define requirements and may even allow connecting to new applications, e.g. the new IAM software may provide connectors that IdM was not offering or were difficult to implement;
- budget is approved, planned for multiple fiscal years and allocated as such, and long-term licensing costs are factored in;
- a new IAM software is selected. Multiple proofs of concept should be conducted with potential candidates to cover the scenarios that are specific to your company. This will allow you to determine which one best suits your needs;
- the migration is done in a phased approach, starting with a non-business-critical application and progressing to the most critical applications. The coexistance between SAP IdM and the new IAM tool should also be studied and applied, so as to provide continuous service and avoid data loss.
Such an undertaking might feel daunting, but with the right expertise and support on your side, it could turn into a great opportunity to improve your organization’s security posture and your employees’ user experience.
Flavio Scarpis
Expert, Cyber Security
KPMG Switzerland