The repercussions caused by the SAP IdM end of life should not be underestimated. Adnovum’s Senior IAM Engineer Axel Schild has already provided us with a deep dive into the numerous challenges arising from the discontinuation of the widespread SAP solution. Today, he returns with his colleague, Expert IAM Engineer Pascal Blöchlinger, to provide a concise overview of the issue and address some of the most burning questions on the minds of affected companies and organizations.
Axel: SAP IdM is the identity management solution for the SAP ecosystem. It is used to manage the joiner-mover-leaver life cycle of users: creating their electronic identities when they join an organization, assigning and revoking access rights depending on their roles, and deactivating their accounts when they leave. Thus, it is an important tool for identity and access management, as well as for compliance. However, it is focused specifically on SAP applications, although it is sometimes used to manage other applications as well.
Pascal: Many companies and organizations across various business sectors are currently using SAP IdM, especially if they strongly rely on SAP products.
Axel: SAP has announced that they will stop developing SAP IdM: Regular maintenance will end in 2027, with the option of extending support until 2030 for an additional fee.
Pascal: All companies that use SAP IdM will need to find a suitable replacement by then. Without regular updates, bugs and vulnerabilities will no longer be fixed. Using SAP IdM without support therefore is a risk and likely a compliance issue.
Pascal: Finding and implementing a replacement for SAP IdM can take a considerable amount of time. Getting it right is a key to efficient and safe data handling across the whole organization.
Axel: Identity Administration and Governance, or IGA, is a topic that is becoming more and more important everywhere. SAP IdM’s end of life is a chance to implement a coherent IGA solution that fulfills current and future requirements, not only for SAP products but for all applications in an organization. And with «future requirements», we are easily talking about the year 2035 or even beyond, where the IGA solution can still be operational. Thus, a good IGA solution can bring long-lasting benefits, while a bad IGA solution can be a constant obstacle.
Pascal: That’s why the project of replacing SAP IdM is an important one that goes beyond SAP products alone and will take time. You need to start with a vision: How will the organization develop, how will your application landscape change, and what IGA capabilities will it need in the future?
Axel: Once you answered the question of «What?», you have to answer question of «How?». This question has technological aspects, but also organizational and process factors that need to be considered: Is the current role model suitable? How can we ensure that all users have only the access rights that they need? What can be automated? How can data be shared within the organization and with partners? How much SAP will we actually use in the future? Then suitable IGA products need to be found, evaluated, and implemented.
Pascal: All these steps will take time: Depending on the size and complexity of an organization, defining or updating the vision and finding a strategy can easily take a year, with the planning and tool selection taking a few months more. The implementation takes half a year to a year, and further fine-tuning will be needed. With all that, it can already be challenging now to successfully integrate a successor to SAP IdM by the end of 2027.
Axel: So, talking about the SAP IdM replacement immediately is exactly what you should be doing!
Pascal: You must think far into the future. Whatever replacement you choose now will likely be running for a while – it is not just about how your business has evolved until now, but also about how it will evolve in the next 5 or 10 years. You have to anticipate now what you may need in 2040 in terms of IGA functionality.
Axel: Also, you must be aware that the project affects all parts of an organization. Hence, it has many stakeholders. Taking their views into account is cumbersome but will be the foundation of an IGA solution that works.
Axel: You can only choose the right replacement if you have determined the capabilities that you will need. Based on those capabilities, you can find the requirements of a solution, compare different offerings, and evaluate products and vendors.
Factors that will play into this decision are the complexity of your setup, the implementation speed, existing components, migration costs, operational costs, vendor support, and the trade-off between customization effort and efficiency gains due to automation. If you already have an IGA solution running in parallel to SAP IdM, you should also evaluate its feasibility as a replacement for SAP IdM as well as its capabilities for meeting your future needs.
Pascal: SAP itself has been promoting EntraID as a potential replacement for SAP IdM. One advantage of EntraID is that many companies already have a license: If you have Office 365 licenses, EntraID is already included. Additionally, it’s one of the most sophisticated cloud-based solutions for authentication and it will be developed further. However, there are also limitations: It may not have all the capabilities you desire, especially regarding the life cycle management of identities, and it may make you more dependent on Microsoft.
Axel: There are many other IGA products on the market that all have different advantages and disadvantages. Knowing which product or combination of products is right for you very much depends on the individual situation of your organization. A simple «take EntraID!» recommendation can certainly not be given.
Pascal: It is also important to note that access management in SAP is relatively complex. IGA products support this to various extents: Some products have a dedicated SAP connector with much included functionality, while others have only little out-of-the-box support for SAP.
Pascal: Ideally, it starts with a pilot phase. During this phase, the new solution is only implemented for certain processes and groups. Then gradually more and more use cases, groups, and applications are integrated into the new solution. The old system should run in parallel until the transition is complete, to be there as a fallback. It is central to the migration to always avoid operational disruptions, as these can be very costly.
Axel: It’s important to validate if your chosen solution works as desired. It is therefore a good idea to start a migration with the most important use cases, so that those can be validated first, without finding a block after having invested unnecessary time and costs. Alternatively, simple use cases can be migrated first with more complex use cases coming later, but this is a bit riskier.
Pascal: No matter what approach you choose, the feedback from the pilot phase helps determine what processes or dependencies have been overlooked.
Axel: Operational disruptions can happen when the migration is not planned well and applications become inaccessible due to missing access rights. And there is always a financial risk: On the one hand, the amount of external and especially also internal work is easily underestimated, because it is not just a replacement of one tool with another – processes and organizational structures will likely also have to change to fully benefit from the new IGA solution. On the other hand, a bargain offer from a vendor can lead to follow-up costs if the functionality of the product or the integration service itself is insufficient.
Pascal: It is vital to get the right advice from your internal experts and, if needed, from external consultants, and to select an experienced integrator who has a proven record of putting the needs of their clients first.
Pascal: A well-designed IGA solution with the right implementation project, one that takes technological and process aspects into account, has many potential benefits for security and efficiency. It will lead to a higher degree of automatization, standardization, and maintainability, and allow you to implement current best practices in data security.
Axel: A big opportunity of such a project is the reassessment of the current IGA processes, as in finding the pain points and eliminating them. IGA is often seen as a burden, but a good solution can be an enabler that allows data protection, data sharing, and seamless teamwork inside an organization and with external partners. Automation and self-services reduce the busywork on some teams, allowing them to focus on bringing value.
Axel: I think the most important aspect is to start early. The whole process will cost a lot of time, energy, and resources. The earlier you start, the more options you have, the less stressful it will be, and the better the solution can become.
Pascal: Think long-term and think beyond SAP. Your next IGA solution will be running for a long time and should not be an obstacle, but a helper to optimally manage your whole application landscape, SAP and non-SAP, on-premises or cloud, or whatever you need.