Migrations - Move identity providers without breaking what nobody documented
Every IDP migration has a documented half and an undocumented half. The vendor guide covers the documented half. The undocumented half is the SCIM integration running on someone's personal API token, the federation config that only one engineer understood, and the service accounts that exist in nobody's inventory. That is the half we are here for. $30,000 to $80,000, four to twelve weeks.
The vendor migration guide gets you 60% of the way. It covers user sync, basic app re-integration, and MFA enrollment. What it does not cover is the SAML assertion your billing system depends on, the custom attribute mapping that only one engineer understood, and the SCIM integration running on someone's personal API token. We scope the project around the 40% the guide ignores.
You need to move from one identity provider to another. Maybe it is an acquisition, maybe the current platform cannot meet a compliance requirement, maybe the contract is up and you want out. The real question is not whether to migrate — it is what breaks when you do. Group membership rules that exist only in someone's head. Service accounts with hardcoded credentials that nobody inventoried. Federation configs built by an engineer who left two years ago. These are the things that surface during cutover if you have not found them first.
The cost of waiting
A botched cutover does not break one application — it breaks every application connected to the IDP, simultaneously, for every user. Recovery means re-integrating each one by hand while people are locked out. The reason we run phased migrations is so the undocumented dependencies surface in wave 1 with 50 users, not in the final wave with 2,000.
The work
IDP Migration
Moving your identity provider from one platform to another: Duo to Okta, Azure AD to Okta, one Okta org to another. We handle user migration, application re-integration, MFA re-enrollment planning, and cutover sequencing. Every phase has a rollback procedure. We have done this in FedRAMP environments where the margin for error is zero.
Platform Consolidation
You ended up with multiple identity systems — maybe from acquisitions, maybe from teams that picked their own tools, maybe both. Nobody planned for this. We design a target architecture, build the integration path, and execute the consolidation. Cross-tenant sync runs as an interim step so users do not get disrupted while we sort it out.
M&A Identity Due Diligence
Pre-close or early-integration assessment of a target company's identity environment. What IDPs do they run, how is access managed, what is the integration cost, and what needs to happen on Day 1. This is scoped to inform the deal, not execute the integration.
Pre-IPO Identity Readiness
Get your identity infrastructure audit-ready before SOX controls become mandatory. Covers the specific identity gaps that auditors flag during IPO preparation: access reviews, provisioning audit trails, entitlement documentation, privileged access controls. These become gating items on the S-1 timeline.
Deliverables
- Migration plan with rollback procedures
- Application integration inventory and re-integration schedule
- User and group migration (with attribute mapping)
- MFA re-enrollment strategy and communications plan
- Cutover runbook
- Post-migration validation testing
- Current-state and target-state architecture documentation
- Cross-tenant sync solution (if needed as interim)
- Consolidation execution plan and runbook
- Decommission plan for retired platforms
- Target environment identity assessment (M&A)
- Integration risk and cost estimate
- Day 1 readiness plan
- Identity controls gap assessment mapped to SOX requirements (pre-IPO)
- Remediation plan with prioritized sequence
- Evidence collection setup for ongoing compliance
- Auditor-ready documentation
Typical engagement
- Shape
- Fixed scope with defined phases
- Duration
- 4–12 weeks
- Price
- $30K–$80K+
What shipped
Migrated a FedRAMP-constrained environment from Azure AD to Okta. Nobody got locked out. The migration itself was straightforward — the two AWS accounts where native tooling could not span the boundary were not. We wrote custom Lambda handlers to sync users and entitlements across that gap. Every phase ran in staging first. The rollback procedure got used once, in wave 2, when a SAML assertion broke a downstream billing integration that existed in zero documentation.
Common questions
How much does an IDP migration cost?
$30,000 to $80,000+. Depends on users, applications, source and target platforms.
What does a migration include?
User and group migration with attribute mapping, application re-integration, MFA re-enrollment planning, cutover runbook, post-migration validation. Rollback procedures at every phase.
Can you migrate in a FedRAMP environment?
Yes. We have run FedRAMP IDP migrations that maintained compliance throughout. Nobody got locked out.