SAP IDM End of Life: Renewing the Central Power Plant of Your SAP City

The critical processes in your organization handle data that needs to be protected: Only authorized people may access sensitive or confidential information. An appropriate solution is required to achieve identity governance and administration (IGA) – a concept that, for the purpose of this post, covers all technological aspects, organizational measures, and processes needed to handle digital identities securely (and includes all aspects of identity and access management, IAM).

One cornerstone of IGA for SAP products is SAP Identity Management (SAP IDM). Since its introduction as SAP NetWeaver Identity Management in 2007, SAP IDM has automated the provisioning of users, realized role-based access control, and provided audit trails and reporting functions within the SAP ecosystem. In this way, SAP IDM has helped ensure data security and compliance with laws and regulations.

However, maintenance for SAP IDM will end in December 2027, with the option of buying extended maintenance service until the end of 2030. Using it after that point would be highly risky due to the lack of security patches and support, hence it needs a replacement. Also, the importance of IGA has grown massively since 2007, as growing requirements for data security have led to increased complexity in managing digital identities and their access rights. Nowadays, IGA is an area of tension between security, efficiency, and usability, and replacing SAP IDM with a solution that meets today's and tomorrow's demands is a formidable challenge.

SAP IDM end of life:  the lights are about to go out

Replacing SAP IDM can be thought of like replacing the central power plant of a city – the replacement will be in operation for several years and the whole functioning of the city depends on it. The change therefore needs thorough planning, appropriate consideration of current and future needs, and enough time for realization. And much can go wrong:

• SAP IDM is a key tool for security and compliance. Mistakes in the replacement phase can lead to such security issues as wrongly assigned access rights, violations of regulations, and data breaches by, for example, exposing sensitive personal data to unauthorized individuals.
• Since SAP IDM is essential for managing access to SAP software, migrating to a new solution can result in a variety of operational disruptions. These may include failures while starting software components, login issues, or users not being able to access certain services, which can all affect business processes and productivity. Manual intervention may be necessary but is risky, as it can cause unintended side effects. Additionally, such intervention should often only be temporary but may be forgotten over time, potentially leading to long-term operational issues. Legacy components pose an additional risk for disruptions if their identity provisioning and access control needs are not taken into account appropriately.
• In general, the integration of a new IGA solution with existing SAP systems and business processes is a large undertaking. Underestimating the amount of planning or failing to involve all necessary stakeholders can lead to drastic delays or even the failure of the whole project if central requirements are overlooked. 

How to power the future

The opportunities

The end of SAP IDM presents both a challenge and an opportunity. Legal requirements for data protection have grown in recent years and security threats have evolved. IGA has become more complex and critical, involving a large number of identities. Even small mistakes, for example, while handling privileged access rights, can lead to data security breaches. The consequences of such incidents can be drastic in terms of both immediate financial losses and a loss of customer trust.

With good planning, however, organizations can develop an IGA solution that optimally combines security needs with efficiency and usability, thus supporting development and possibly even turning the predicament into a competitive edge. Some benefits of state-of-the-art solutions are: 

• Current best practices for identity governance can be adopted, such as a combination of role-, attribute- and policy-based access control for efficient permission management, regular access reviews, enforcing least privilege, and using automation to manage identity life cycles. This can make IGA much simpler in practice while also lowering the risks of data security incidents, as less complexity leads to fewer mistakes.
• With the right toolset and design, SAP software can be better integrated in the whole IGA of an organization, thus streamlining IGA processes and freeing capacities for other tasks.
• Emerging trends like AI-driven IGA can be considered, their value can be assessed, and they can be realized with smaller resistance due to the technical setup.
• Changes in regulatory environments in recent years can be accounted for from the start, with automated auditing, compliance reporting, and alerts for unusual activity. This makes the whole setup simpler to manage and to use.

Planning steps to take

Planning for a new IGA solution of SAP and SAP-related components involves multiple steps:

• Start planning early enough, as the issue is urgent, takes time, and is too critical. Decisions regarding IGA can have positive or negative consequences for years and throughout the organization, thus they should not be made under too much time pressure. Avoid last-minute issues as much as possible. Also consider that at some point there will likely be a shortage of external consulting and integration support. A realistic roadmap for the transition should be drafted as soon as possible.
• The project is also political, because many stakeholder groups in the organization will be affected by the change. Thus, it is vital to include them appropriately.
• Reassess the business requirements, in particular the current and future identity management needs regarding security, privacy, cloud migration trends, future business models, and more.
• Discuss the recommendations of SAP regarding such solutions as integration with Entra ID and using SAP Cloud Identity Service. Compare the features and benefits of the recommendations from SAP with the integration of another IGA solution that supports SAP and non-SAP software. Many established vendors (e.g.,  One Identity, ForgeRock, Okta) offer such products with very different sets of functionalities.
• Consider the movement to cloud-based systems, both with SAP products and with IGA solutions.
• Be aware that the replacement of SAP IDM is not just a change of software product. Establishing a new and improved solution for IGA is a question of technology, the right organizational measures, and processes. Focusing only on the technology may severely handicap the integration project, as well as the final solution.

The amount of time required for planning, evaluation, and implementation depends on the starting point of your organization. Do you already have a clear strategy for the development of the IGA solution? Are your IGA solution needs comparably simple? Do you already have well-established IGA processes?

If your answer to all three is «yes», the whole transition can largely be achieved within one year. If you have complex IGA needs and still lack an IGA strategy – or maybe even lack awareness of its importance –, or if a structured IGA is still in its infancy and organization-wide changes may be needed, replacing SAP IDM can easily take two years or more.

Choosing a solution that fits

While SAP gives suggestions on how to replace SAP IDM, every organization has its own setup and special requirements. For some, relying on Microsoft Entra and the SAP identity cloud services may be the way to go, while others may profit massively by establishing a central and feature-rich solution for their whole IGA. There is a long list of questions to consider, for example:

• How well does a solution meet such modern security standards as multi-factor authentication, zero trust, conditional access, and role-based access control?
• How easy and seamless is integration with SAP products such as SAP ERP or S/4HANA, as well as with other business-critical applications?
• Is the solution future-proof, i.e., does it support the strategy of the organization, can it scale with business growth and adapt to emerging technologies such as IoT and AI?
• What is the total cost of ownership, including licenses, implementation, and long-term support, and how much can be gained from automating and streamlining IGA processes?
• How is the user experience for both end users and administrators? Intuitive interfaces and strong reporting and analytics features ease the transition and are a non-negligible but often underestimated factor in the adoption, and hence in realizing security and efficiency gains.
• What vendor and integrator support can be provided?
• Who will be responsible for the technical operations?

The switch

Once the IGA solution for SAP products has been designed, the time to integrate and switch to the new solution has come. Ideally, this involves the following steps: 

• An initial clean-up of identity and access data can streamline the migration. Although such a clean-up can be time-intensive, it will reduce effort during and after the migration.
• Ideally, a pilot project can test the new solution in a non-critical environment, thereby identifying potential issues and ensuring that integrations work as expected.
• The new system should be set up in parallel to the old system, and systems together with data should be migrated successively.
• Administrators and users need to be trained on the new system in a timely manner. At this point, having selected an intuitive and user-friendly solution will pay off for the first time (and will continuously pay off during its usage).
• The transfer from setup to operations needs to be prepared with suitable documentation material and an appropriate team.

Next steps

So, what should you do now that you can see that the power plant of your SAP city is about to fail?

Early planning is key to minimizing disruptions and realizing a solution that fits the organization for the next 10 or more years. It is time to talk to your internal experts or to engage with consultants and system integrators that specialize in IGA solutions and can guide the replacement process. Use them to help you work out a future-ready strategy for your digital identities in SAP systems and beyond, and then to execute this strategy. And, most importantly, see the transition not just as a necessity, but as an opportunity to modernize your identity management and make it an enabler for your digital transformation goals.

How Adnovum can support

Adnovum has a proven track record in working with all aspects of digital identities and IGA. Our portfolio includes strategy consulting for digital identity solutions, support during architecture and project planning, integration of and migration to new IGA solutions, as well as the operation and continuous improvement of the solutions.

The basis of our consulting is our holistic view with which we take technology, organizational aspects, and processes related to digital identities into account. This lets us provide our clients with a tailored setup that brings the right mix of security, efficiency, and usability to maximize business value.