Case Study - FedRAMP IDP Migration
Zero-downtime migration from Azure AD to Okta in a FedRAMP High environment.
Enterprise messaging platform, FedRAMP High environment
Build & MigrateThe situation
FedRAMP High environment. Thousands of engineers depending on Azure AD for daily access. The organization needed to move to Okta, but production access could not be disrupted. Standard migration approaches require downtime windows that were not acceptable.
The constraint was absolute: if someone could not authenticate during the transition, that was a production incident. The migration had to be invisible to end users.
The work
Built a dual-IDP feature that let both identity providers operate simultaneously during the transition. Engineers kept authenticating through Azure AD while we stood up the Okta configuration, tested it, and began routing traffic.
Migrated 5 SAML applications from Azure AD to Okta. Each application was moved individually, verified, and monitored before touching the next one. No batch cutover.
Deployed 4 AWS Lambda handlers for cross-tenant group synchronization. These kept group memberships consistent between the two identity providers during the transition period. Safety thresholds prevented bulk accidental removals: a maximum 15% change rate per sync cycle. If a sync would have removed more than 15% of a group's members, it stopped and alerted instead of proceeding.
Infrastructure managed entirely through Terraform. Every change was reviewed, versioned, and reversible.
The outcome
Zero-downtime migration. No engineer lost access during the transition. The dual-IDP capability meant rollback was available throughout, though it was never needed.
The team owns the new Okta setup and operates it independently. Cross-tenant synchronization runs automatically. The Lambda handlers, Terraform configurations, and SAML application settings are all in version control and maintained by the internal team.
The handoff
Terraform-managed infrastructure, operational runbooks, and team training. The identity team runs everything without external support. The dual-IDP feature remains available as a safety net but has not been needed since the migration completed.