In my previous blog on ‘How to migrate your Identity and Access Management (IAM) system (Part 1)’, I talked about different strategies related to data migration projects. We saw that proper planning and preparation are required to choose the correct migration method for your organisation and corresponding data import alternatives.

In this second and final chapter, I will walk you through different account linking methods that you need to import as well if used in the old system. Also, I will give tips and tricks on how you can enhance the data quality of your system during the migration project and how to improve your system’s usability, security, and versatility. The aim is to plan a frictionless, user-friendly transition from the old system to the new one.

Account linking

In the previous chapter of this blog series, I listed some user migration considerations – things that you need to take into account when transferring information from the old system to the new one. Among other things, this includes transferring of existing account links that could include such items as User-Driven Federation and Directory User Mapping. You should preserve these links to the new IAM service during the migration project. Use the tools provided by your new IAM solution to facilitate the process. Let’s take a look at what these links are about.

User-Driven Federation

The basic idea of user-driven federation is to let the end user link existing third-party system credentials to your online service. This allows users to use an authentication method they already own, instead of the traditional new username and password combination. The concept is called BYOI (Bring Your Own Identity).

You could link, for example, social accounts such as Facebook, Google, LinkedIn, Twitter, etc. or business accounts such as Office 365. If necessary, the linking can be verified by using a strong authentication method, like a bank ID, to get a verified social identity. From the user perspective, it is a manual linking of two authentication methods provided by different sources that do not even need to have common trusted attributes. You can do the account linking either by first signing in using the existing account or by registering a new account while signed in to an existing third-party account.

 

Account linking Office 365

A simplified presentation of sign in with User-Driven Federation

 

In the first example, the user already has an account for a given online service and would like to link their Office 365 business account to it for smoother logins. To begin the linking they have to first visit the online service, choose O365 as an authentication method and sign in to it. Next, the user has to further sign in with the original online service credentials, after which they can set up the link between the accounts.

Next time, the user can sign in to the online service using the O365 credentials and even utilise features such as SSO (Single Sign-On) which allows them to step into the service without a separate login if they are already signed in to their business account.

 

Account Linking - Google

A simplified presentation of account registration with User-Driven Federation

 

The second option allows you to register a new account utilising your existing third-party account. In an example case a user, who is logged in to their Gmail account, enters the target service for the first time. They choose to create a new account and will get a partly pre-filled registration form with their name and email attributes automatically fetched from the Google service. After the user has finalised registration, they are able to single sign-on to the target system from the internet utilising their Google account.

Directory User Mapping

Directory User Mapping is quite similar to User-Driven Federation. It offers an automatic account linking based on a lookup to a third party user repository. The user can sign in to a service using their existing credentials for a different service such as Bank ID, Mobile Certificate (Mobiilivarmenne in Finnish) or using an identity card. Another common example is to use third party AD’s (Active Directory) attributes to find a user’s account from an online service’s repository (Centralised Customer IAM in the picture below). During login, one or more known trusted attributes are returned from the third party service and are used to search and match the account of the local user. As a result of the successful mapping, your IAM solution can create an identity to access an online service in a single sign-on session.

 

Directory User Mapping

A simplified presentation of sign in with Directory User Mapping

 

In this third example image a user already has a registered account, thus their identity attributes are stored in the Customer IAM user repository. The online service requires that a unique attribute(s), such as SSN (Social Security Number), is used for identity verification and the attribute has to be fetched from a trusted source such as bank, telecoms operator or national population registry services. First, the user chooses an authentication source, their bank for example, from the list of authentication methods from which the IAM system receives the SSN attribute and checks it against its own data repository to find the user’s attributes. From the user point of view, this is just like a typical strong authentication sign-in process. There is no need to first sign in using the original credentials.

Tips and Tricks

An IAM system migration is a relatively big project that potentially introduces a lot of new things to users. Some users can be resistant to big changes, so it is a good idea to communicate in advance that users should expect a system update on given dates. Focus on the positive side and possibilities that the new solution provides. Here are some tips and tricks on how to make the introduction of the new solution frictionless.

Think of it as a data cleansing

This is a good time to re-validate and re-verify user attributes to maintain data quality. You could even use an incremental approach where you ask the users to, for example, check and update one attribute per week such as ” Are you still at 12 High Street? Yes/No -> if not correct” or ”Is your phone number +3585827756? Yes/No -> if not correct”.

Re-attestation of user rights

An IAM migration project is the perfect time for re-approval of access to services. It is important that the right persons have access to the right areas of your services. A situation where the job role of an existing user has changed, or they have left the company, often requires modifications in the access credential configurations.

Here, a delegated user management facility can considerably help the task – where the customer or partner organisation’s main user manages the access rights and authorisations of company employees. There are several benefits in this approach such as increased data accuracy, decreased security risks of abandoned accounts and credential sharing, and reduced operational costs for your enterprise. Find out more about Delegated Authority here.

Increase security and compliance with regulations

There are many business-driven factors to purchase a new IAM system, such as increased security and help complying with regulations. You get better hashing and encryption algorithms for passwords and other sensitive information and you can choose from the latest and best authentication methods. Self-service portals let users view and manage their own account information which is necessary for compliance with regulations such as GDPR and saves organisations considerable amounts of time (and therefore money).

Add usability and convenience

As mentioned before, users can be resistant to big changes. To soften the introduction of the new system, increase usability and convenience. This can be achieved, for example, by planning easy-to-use workflows provided by the new IAM system and using login with an email address instead of user ID or log in with (verified) social identities. If you choose to use trickle migration, where both the old and new systems run in parallel for a while (see previous blog for a reminder on this), then consider keeping the old branding during parallel use and update the visual brand later on.

Maintain all things that impact browser heuristics on form fillings

This includes hostnames, field names, page elements etc. Use any existing browser cookies for discovery where possible.

Encourage and entice users to use the new service

Send user invitations such as “We would like to introduce you to our enhanced and easy to use service. You can now assign a new convenient authentication method for your account”. To further entice the users, you could arrange small competitions and incentives. Getting users to use the new system is especially important if you were not able to migrate all the attributes to the new system e.g. due to the incompatible hashing algorithms. In such a case, these attributes need to be re-created (See the next bullet).

Allow parallel logins via old UI in case of “on the fly migration”

One form of trickle migration is called on the fly migration (again, see previous blog for a reminder on this). In this phased migration method, you retain the old login for long enough that most users would log in to the new system. The idea is to check user ID/password combination against the old backend service and, if it is correct, save it in the new IAM system. The password is rehashed with a new hashing algorithm and the old account is marked as migrated. You might not have time to wait for everyone to have logged in to the new system due to the licensing costs of the old system. In that case, the remaining users might need to re-register or at least reset their old passwords.

Conclusion

As business IT systems keep progressing with digitalisation and innovation, migration projects are a necessity. Existing solutions are covering more ground and their requirements change frequently; data needs to be consolidated and lots of services are moving to the cloud. This is also true of IAM solutions, so make sure you select one that satisfies your business needs and is flexible enough to progress with your organisation.

Ubisecure Identity Platform offers a scalable and easy-to-integrate omnichannel platform for your enterprise’s services whether you are looking for an on-premise solution or a cloud implementation, including the option for a quick-start deployment with Identity-as-a-Service (IDaaS). Get in touch at www.ubisecure.com/contact.

Download our free white paper, ‘Migrating your organisation’s IAM system’, for everything you need to know about seamlessly replacing IAM capability in apps and services.