App & Identity Migration

Is your version of SiteMinder reaching its end of service (EOS)? What are your options? 

Tunnel with light at the end photo | Strata.io

Change is the only constant in life. Even software that’s decades old goes through inevitable change. For instance, in a customer service announcement, the SiteMinder team at Symantec (Broadcom) announced December 21, 2023, as the end of service (EOS) date for SiteMinder 12.8.04. This affects many customers that run this version.

Most legacy software goes through a similar lifecycle. Many companies using legacy software use these transition periods as an opportunity to ‘move and improve’ their identity infrastructure by upgrading to cloud identity delivered as SaaS. 

Some will consider staying on-premises and deploying another version of legacy identity software, but at what cost? The other direction would be to look for a way to migrate off legacy identity software, but that’s typically been a huge lift and cost in both time and effort. 

A year, or even two, isn’t much time to make a big decision like this and then execute either a migration project or an upgrade if you are heavily entrenched in legacy identity software. What are some options for those in this situation? 


How to plan for a transition from a legacy, on-premises IDP to cloud identity

Modernizing apps to work with an IDP — specifically, how an app consumes the user session — is a big challenge for all organizations. Older architectures, especially deployed pre-SAML, rely on cookie-based sessions whereas modern IDPs use SAML or OIDC. 

Refactoring a cookie-based app to use standards-based sessions usually requires six months of effort at a typical cost of $150,000. When you have hundreds of apps, this adds up quickly. So,100 apps can easily cost $15,000,000 in refactoring costs. Most shops would prefer to spend $15 million on innovation rather than paying off technical debt.

Budget aside for a moment, you may run out of time before your version of legacy identity reaches the end of the line. Doing the simple math, 100 applications X six months/app = 50 years of manual effort.

 

Now there's a migration recipe to move from SiteMinder to Azure AD.


Does a legacy identity platform support your modern requirements?

Even if everything is working fine today, as your business evolves and you want to add new apps and services, like modern MFA technology, they may not be supported after the EOS. 

It’s a bit like maintaining an older vehicle. You’re on your own to find replacement parts because the manufacturer won’t be making new ones. Unlike a car, there’s much more at stake by staying on a deprecated access management platform. 

While legacy identity software might continue to release new service packs, there are a few key things to remember. For one, legacy identity may no longer meet the needs of your modern hybrid organization, even with new service pack updates. Consider whether new updates will simply have a financial burden that locks you into a system that no longer delivers the same value it once did.


Is upgrading worth the cost and time?

Moving from one legacy identity service pack to the next isn’t like a laptop or mobile device system update. Upgrading is a major multi-month endeavor that will cost hundreds of thousands of dollars. 

And while legacy customers may continue to receive new service pack updates, you are still investing in maintaining and upgrading an older technology that can’t do what today’s cloud IDPs can. 

Your identity modernization goals may inevitably be hindered because legacy, on-premises IDPs can’t support modern identity technologies. Legacy IDPs were built before the cloud, so they don’t even speak the same language. 


What’s involved in upgrading legacy identity system service packs?

If you’re currently on an early version of a legacy identity system, you may have to make a couple of updates to get up to the current service pack. But even if you only need to make one upgrade, you have your work cut out for you. 

Plan for a large-scale project to apply a service pack because legacy identity infrastructure is complex and monolithic. Countless different pieces and components are existing in an environment. And that means you’re looking at an enormous amount of time and resources to make that upgrade happen.

Why is upgrading a legacy, tier-one identity service complex?

Identity infrastructure is what most organizations would consider a tier-one service. There’s no alternative; it’s a critical service. Because of that, you need to treat a tier-one service with kid gloves and go through a very stringent, long, and incremental process in a development environment when upgrading your IAM systems

First, you’ll have to go through and upgrade the dev environment and run through a series of tests. Did that break anything? If you have customized apps and code in your legacy IDP, you must check if the changes broke anything. It’s typically a months-long effort just to apply the service pack. 

So you’re looking at an installation upgrade process and a full testing process multiple times over. Then there will be a maintenance window when you let the user community know that they won’t be able to log into the site between certain hours on a certain day. By that time, you’ve tested everything ten times over. That’s finally when your team behind the scenes is actually applying the updates in production. 

Imagine the kind of time and cost that it requires to go through the upgrade process once. Then this same thing has to be done every time there’s an upgrade. You can invest millions and race against the clock just to keep your legacy identity system on life support for another year or so, or you can start looking at alternatives.

An alternative at your legacy identity’s end of service (EOS) 

Thankfully, you have options that let you gracefully migrate away from legacy identity — and you can do it quickly, easily, and much more affordably than a legacy upgrade. Get off of legacy before the end-of-service date arrives without sacrificing your identity management. 

Strata’s Maverics platform uses Identity Orchestration to move applications off of legacy identity platforms without rewriting any apps. Identity Orchestration lets you run legacy identity simultaneously with cloud identity before you retire it for a seamless coexistence while you need both. 

Then, after (or ideally well before) the EOS date, you can retire your legacy system without fuss — and you can continually adopt the latest identity technologies as they evolve. 

Give your company something to further the business and modernize your users’ experience. Make your organization more agile than ever without the cost. 

Connect with an Identity Orchestration expert

Broadcom, Symantec, and SiteMinder are among the trademarksÔ or registeredÒ trademarks of Broadcom Inc., and/or its subsidiaries. Other names may be trademarks or registered trademarks of their respective owners.

Steve Lay

Senior Sales Engineer