SAP recently announced the end-of-life of their SAP Identity Management solution in 2027, with an extended maintenance period until 2030. With already being in 2024, this leaves three to at maximum six years for migrating SAP Identity Management to another solution. Three years, if avoiding the extended maintenance period and associated cost (even while the premium is only slightly above the regular maintenance fee), is not long enough for the transition of an IGA (Identity Governance & Administration) solution. In other words: It is time to start planning.
IAM solutions provided by SAP and the SAP solution approach
SAP recently proposed a solution approach based on SAP Cloud Identity Services. This article has been frequently misinterpreted in saying “SAP endorses a combined solution based on SAP Cloud Identity Services and Microsoft Entra ID”. In fact, it says that SAP will continue its investment in both SAP Cloud Identity Services and SAP Cloud Identity Access Governance (Cloud IAG) and “that these enhancements are designed to facilitate integration with other partner identity management solutions, like Microsoft Entra ID, that provide a comprehensive approach to enterprise-wide identity and access scenarios.”
SAP unveils its strategy for the own IAM-related solutions as well as their focus on a flexible integration strategy for scenarios that require IAM capabilities beyond what SAP Cloud Identity Services and SAP Cloud IAG provide.
SAP Cloud Identity Services are a SaaS solution supporting a good set of IAM capabilities, ranging from Access Management features for authentication and identity federation to SCIM-based provisioning, integrated directory services, and authorization management for Policy-Based Access Management (PBAM). SAP focuses on utilizing open standards, but also on integration to other IAM solutions in the organization. Access Governance features are provided by SAP Cloud IAG, which is primarily focused on the SAP ecosystem and neatly integrates with the SAP Cloud Identity Services.
Challenges and limitations
With SAP itself supporting an integration approach with other identity management solutions “that provide a comprehensive approach”, the question is where such expansion and integration is needed. There are two dimensions to look at. One is the breadth and depth of capabilities that are needed versus what is provided by SAP’s own solutions, which needs a thorough requirements analysis. To keep in mind here: Access Governance capabilities are delivered by the “companion product” SAP Cloud IAG, not by SAP Cloud Identity Services.
The other is the breadth and depth of integration to target systems. The focus on SCIM-based provisioning is one important area here. While SCIM is increasingly supported by SaaS (Software as a Service) solutions, SCIM interfaces are very rarely found in legacy on-premises applications.
A simple rule is: The more non-SAP solutions, the more legacy and on-premises integration, and the larger and more complex the organization is, the more likely such integration approach is needed.
Plus: There are several IAM solutions out there that can cover what SAP Cloud Identity Services and SAP Cloud IAG provide in capabilities. There are options. And some of them provide very powerful, in-depth support even for complex SAP environments.
Taking a structured approach
Don’t oversimplify a decision that will impact your IT for the next 10-15 years at least, when taking common lifetimes of IGA solutions. Analyze the options you have thoroughly.
- Start with your overall IAM strategy: How will your Identity Fabric of the future look like?
- Analyze what you have and what (SAP Identity Manager, due to end-of-life) must change
- Understand what you will need
- Go into the detailed analysis of requirements
- Run a thorough tools choice process to find the right solution
For that tools choice process, best practice for an organization that has SAP Identity Manager in place is to have SAP Cloud Identity Services and Cloud IAG as one of the shortlisted options, amongst other IAM solutions. Such process also will allow you to assess combinations such as SAP Cloud Identity Services in combination with Microsoft Entra ID or other enterprise IAM solutions.
In any case: Don’t take it easy. Spend the time for planning and assessing the options you have, to find the right solution for your enterprise. Impacting factors include aspects such as
- The current and future SAP landscape versus a multi-vendor strategy for Line-of-Business applications
- The complexity of the non-SAP application and system landscape in scope of IAM
- The state of IAM solutions beyond SAP Identity Manager
- The overall IAM strategy towards a modern Identity Fabric
- The organizational structure, specifically regarding responsibilities for SAP environments vs. IAM
There is no simple answer to the right approach for replacing SAP Identity Manager. Don’t oversimplify.
Information and support from KuppingerCole Analysts
KuppingerCole Analysts provide extensive support for you on this process. This includes upcoming webinars and webinar recordings, our research with Leadership Compass reports on topics such as IGA, SAP Access Control Tools, Access Control Tools for multi-vendor LoB environments, and our advisory services that can guide you through the entire process following a structured approach. Additionally, be sure to join me at the upcoming European Identity and Cloud Conference, where I will be hosting a dedicated session on preparing for the end of SAP Identity Management support. During this session, I will discuss the challenges and opportunities that come with this transition and share practical guidance and best practices to help you navigate it successfully.