Are you ready for the sun to go down on SAP IdM?
As of January 2028, SAP Identity Management (IdM), which is used for managing user access rights, will no longer be maintained. This means now is the time to start considering transition plans towards an alternative Identity Governance and Administration (IGA) solution.
Although SAP have offered general guidance on planning your transition, their recommended solutions may not align with your specific business strategy or requirements. Below we explore the current state of play around IdM sunsetting and outline the steps you should take to prepare for the transition.
Don’t forget to check this blog regularly for the latest news and updates around IdM sunsetting.
What we know, as of September 2024
SAP's primary recommendation at this point is to replace IdM with Microsoft Entra ID, which is capable of managing all authentication tasks, and (according to SAP) can also handle provisioning. However, Entra ID's capabilities are more limited compared to other enterprise Identity Governance and Administration (IGA) solutions. For example, it currently lacks full identity governance and direct administration capabilities for most SAP applications. As a result, additional solutions, such as GRC tools, will be required to ensure comprehensive coverage.
As one of our clients recently stated, "I'm sceptical that Microsoft Entra can really do what SAP IdM can. Maybe it can cover 20-30% of what IdM can do, so it might not be the best fit for us." Indeed, it might not be the best fit for most, particularly complex, matrixed organisations.
Ending up with multiple tools to take care of IGA duties introduces unnecessary cost, inefficiency, and management complexity. For those reasons, Turnkey recommends adopting an all-encompassing enterprise IGA solution like SailPoint instead.
Key transition considerations
Timing
Think of this transition as planning a cross-country road trip. You wouldn't start your journey without a map, sufficient fuel, and a well-maintained and suitable vehicle. Similarly, you need to prepare your organisation for this long journey away from SAP IdM with careful planning, adequate resources, and an all-encompassing new solution.
Allocating budget and resources, selecting a new solution, and planning out the migration are complex tasks that need time and care to be done properly, especially as they affect many critical business processes and applications, and there may be significant disruption to account for along the way.
Based on our experience, replacing an IGA solution can take up to three years. With the IdM sunset just over three years away at the time of writing, it's crucial to initiate the process as soon as possible.
On-premise vs cloud solutions
You should also consider how the change factors into the wider move towards cloud-first services. SAP has an equivalent solution in the cloud called Cloud Identity Services, but it only looks after the SAP estate and does not extend to other applications. This means organisations moving to this solution will also need to invest in additional IGA solutions to cover the rest of their applications. This is where cloud-based enterprise IGA comes into play, as it can cover all applications, not just those in SAP.
Wider business strategy
As with any major change, the move away from IdM must consider the organisation as a whole. Many businesses are under pressure to cut operational costs, strip out duplication, constantly improve their security posture, enhance user experiences, and maintain good governance. All these demands emphasise the need to make your transition one that serves the whole organisation and all the applications within it. Instead of swapping like-for-like and deploying a light IGA solution such as Entra ID, a comprehensive enterprise IGA deployment represents a strategic opportunity to integrate and consolidate.
Operational Improvement
The adoption of an alternative IGA solution also provides opportunities to make improvements that benefit the whole business. These can include better alignment with current security practices, better alignment with workforce and stakeholder requirements, and the ability to centralise and integrate access management better than ever before. There are also possibilities to enhance security posture by reducing the risk of over-provisioning access; saving costs and reputation by preventing data breaches and optimising licensing; and bolstering end-user experiences for greater employee and customer satisfaction.
Adopting one solution for a 360-degree view of identity
Picture your organisation's Identity Governance and Administration as a complex puzzle. Right now, different pieces are scattered across various systems. An enterprise IGA solution acts like a master puzzle board, bringing all these pieces together to form a complete, cohesive picture of your organisation's identity landscape. By seamlessly integrating applications across the entire organisation, an enterprise IGA solution delivers that 360-degree view of identity and the foundation for a more secure, efficient, and integrated future.
As with any major solution migration, there will be questions, considerations, and challenges along the way. Turnkey is here to support you. With 20 years of experience with successful SAP projects and 15 years delivering Identity and Access Management deployments, we are uniquely positioned to help you navigate the intersection of IGA and SAP.
Get more in-depth expertise on preparing for your IGA migration by registering for our upcoming webinar here.
Recommended reading: Don’t miss From SAP IdM to enterprise IGA: How to bridge team silos and maximise benefits in which we dive into the challenges of migrating to an enterprise IGA solution and provide practical strategies for overcoming them. In particular, you’ll discover how to foster collaboration between SAP and Identity teams and ensure a smooth transition that benefits your entire organisation.