Skip to main content

Choose your IAM migration strategy

This section covers two aspects of migrating to Ory: transferring user identities and rolling out IAM functionality to your applications. User identity migration involves moving user accounts, credentials, and profile data from your existing system to Ory. IAM rollout determines the sequence and timing for transitioning each application to use Ory for authentication and authorization.

These two aspects are distinct but interconnected. You might choose different identity migration strategies for different applications or rollout phases. For example, you could use bulk identity migration for your first application in a single-phased rollout, and later use graceful identity migration for subsequent multi-phased rollouts. Understanding both aspects helps you design a transition plan that balances technical constraints, business priorities, and user impact. Your choice of approach should be driven by several key factors: the complexity of your system, the size of your user base, and your organization's risk tolerance and downtime constraints.

Choose your IAM system rollout strategy

Simpler systems with homogeneous user segments and a single legacy authentication system can be implemented in a single-phase IAM system rollout. However, complex systems or risk-averse organizations may benefit from a multi-phased, application-based, or phased rollout approach. This strategy allows you to test processes in production by first rolling out to less critical user segments or applications, learning valuable lessons to refine your approach before a broader rollout.

Single-phase rollout

A single-phase approach involves migrating user identities and rolling out applications/services in a single "go-live" event. This approach results in all users and applications/services being impacted at the same time. The single-phase rollout requires you to perform a bulk identity migration.

A single-phase rollout approach is the best choice when:

  • The number of users is low and applications or services are simple
  • Planned system downtime due to the "go-live" event isn't a problem
  • You need to retire the current solution soon

Advantages of single-phase rollout

  • Faster time to value: All users gain access to the new system immediately rather than waiting months or years for their turn.
  • Simplifies planning: You only need to plan, execute, and close out one major deployment rather than coordinating multiple phases with interdependencies, handoffs, and varying timelines.
  • Lower total cost: Running one migration event typically costs less than maintaining parallel systems, conducting multiple training sessions, and supporting both old and new systems across an extended timeline.
  • Eliminates integration complexity: You avoid the technical challenges and data synchronization issues that arise when different user groups operate on different systems that need to communicate with each other.

Drawbacks of single-phase rollout

  • Higher risk concentration: If something goes wrong during deployment, it impacts your entire organization simultaneously rather than being contained to a smaller group, potentially causing widespread business disruption.
  • Support burden: Your support team must handle issues from all users at once, which can lead to long resolution times, frustrated users, and inability to provide quality assistance when everyone needs help simultaneously.
  • Limited learning opportunity: You can't incorporate lessons learned from early adopters because there are no early adopters—any design flaws, training gaps, or technical issues only become apparent when it's too late to adjust your approach.
  • Difficult rollback: Reverting to the old system after a full cutover can be complex and potentially impossible if you've already decommissioned infrastructure or migrated data irreversibly.

Choose your user identity migration strategy

Ory supports two primary identity migration strategies:

  • Bulk identity migration - Migrate all users at once.
  • Graceful identity migration - Migrate when a user authenticates, running old and new solutions in parallel.

By understanding these methods and planning accordingly, you can ensure a smooth and secure transition for your users to Ory Network.

Bulk identity migration

In a bulk identity migration, also known as big-bang or offline migration, all user data is migrated at once. The identity migration must happen in close coordination with the overall rollout. This creates a single "go-live" event, where all users included in the bulk identity migration start using the new system simultaneously.

When to use bulk identity migration

A bulk identity migration can involve some risk and downtime, but it is recommended when:

  • The number of users is low and applications or services are simple
  • Planned system downtime due to the "go-live" event isn't a problem
  • You need to retire the current solution soon
  • Your legacy IAM vendor restricts your ability to use a graceful identity migration strategy.
Advantages of bulk identity migration
  • Simplifies planning: Since there is only one "go-live", the identity migration process is easier to manage and plan.
  • Reduces transition time: The identity migration process happens in one go, reducing the transition time.
  • Less complexity: There is no need to run two systems in parallel and you can retire the previous solution immediately after testing and validating the migration.
Drawbacks of bulk identity migration
  • High risk: If any issues occur during the cutover, the impact can be significant, affecting all users. It might be difficult to perform a rollback.
  • Downtime: This approach may require planned system downtime to ensure data consistency, which can disrupt users.
  • Increased preparation: Requires extensive planning and testing to mitigate risks, making it more resource-intensive during that phase.