Modernizing Identity Management: MIM to Saviynt EIC Migration
Is it time for your organization to migrate from Microsoft Identity Manager and you're unsure about where to start?
Microsoft Identity Manager (MIM) has reached a crossroads. While extended support continues until early 2029, the platform is no longer actively developed, which means no new features or enhancements, and some functionalities have already been deprecated. Microsoft itself recommends clients explore alternative solutions for future-proof identity management.
Untangling complex MIM deployments can be a daunting task. Replicating your current functionality often requires integrating multiple products and vendors, demanding significant expertise.
Executive Summary
After several years with MIM at the core of their lifecycle management (LCM) workflows, our client in the financial services industry needed help to support their transition to a more modern alternative with minimal downtime or disruption.
Our client's goal was to navigate a complex transition from MIM to Saviynt Enterprise Identity Cloud (EIC) while keeping their Active Directory (AD) and Workday (WD) workflows and LCM processes intact.
To help our client achieve their goals, we recommended and implemented Saviynt EIC to effectively modernize the organizations' onboarding, offboarding, and rehire processes. A key technical goal of this MIM to Saviynt migration was to streamline and modernize data management between essential identity systems. We achieved this by implementing robust integrations between Saviynt, AD, and WD.
- Real-time WD Synchronization: Seamless two-way data exchange with WD allows for reading and writing user information, ensuring up-to-date and consistent user data across both platforms and eliminating the need for manual data entry in either system.
- Streamlined AD Management: The integration with AD facilitates efficient account management. Saviynt can now read existing account attributes, aggregate them for a holistic view, and provision entirely new accounts within AD.
- Automated Security Group Assignments: Security group assignments are no longer a manual process. Saviynt leverages user attributes from both WD and external systems, automating group membership based on pre-defined rules. This ensures accurate and consistent access control.
These integrations were instrumental in achieving the client's goals of automating lifecycle management processes and improving overall efficiency within their identity management system. Replacing their complex MIM deployment with Saviynt simplified their identity management workflows and gave them a strong foundation for future growth.
Business Results
We successfully migrated this client from MIM to Saviynt EIC and deprovisioned MIM within 5 months of project initiation. This project had the following business benefits:
- Simplified Administration: Saviynt's modern UI reduces complexity and improves efficiency.
- Improved Functionality: Their new solution features dramatically improved functionality that can handle all types of identities.
- Stronger Compliance: We improved reporting and auditing capabilities to support compliance with regulatory requirements as well as internal policies.
Implementation Summary
Our goal wasn't just about migrating data from the existing MIM to Saviynt. Our client's MIM deployment had evolved and grown in complexity since it was implemented, so we led workshops to understand key items such as current MIM configuration settings, WD integration details and processes, and AD structure.
Through a thorough discovery process, we analyzed their existing workflows and technical requirements for the new Saviynt lifecycle management (LCM) processes. This comprehensive approach allowed us to identify potential areas for improvement and ensure a smooth transition to Saviynt.
A key part of the architecture involved establishing a custom site-to-site VPN between the client's network and their Saviynt SaaS tenant, configured to meet our client's specific security and business requirements. We facilitated a secure connection by whitelisting specific IP addresses and ports (HTTPS, LDAPS, etc.) and implementing custom routing to ensure seamless connectivity for essential Windows resources like AD and WD.
Key Automations
Leveraging our extensive experience, we implemented several automations within the client's Saviynt environment:
- Customized User Experience: We tailored the Saviynt EIC portal with the client's branding and integrated it with their SSO solution for a seamless user experience.
- Automated User Provisioning: Upon workstation creation, user identities are automatically created in AD with appropriate attribute mapping, ensuring consistency and reducing manual effort.
- Streamlined Onboarding: PowerShell scripts automate mailbox creation in Exchange and handle other custom onboarding tasks, expediting the process for new hires.
- Role-Based Access Control (RBAC) with Compliance:Access is assigned based on pre-defined security groups in AD, adhering to regulatory requirements regarding user roles and geographic location.
- Attribute Flow and Offboarding: Custom attribute synchronization flows ensure consistent data between AD, Saviynt, and WD. Additionally, automated offboarding scripts deactivate AD accounts based on triggers from either AD or WD.
- User Lifecycle Management: Rules are in place to manage user account lifecycle. Upon account disable or deletion, a 45-day grace period is observed (based on inactivity) before automatic deletion from AD. This aligns with offboarding procedures and integrates with ticketing systems (potentially Azure AD).
These integrations can be technically complex, but our team's deep experience with similar requirements allowed us to navigate these challenges and deliver seamless solutions.
Lifecycle Management
Our comprehensive Saviynt implementation addressed various user lifecycle management needs for our client, including:
- Automated User Offboarding: To ensure data security and compliance, inactive user accounts were automatically removed after a 45-day period. However, inactivity wasn't a simple metric. We developed a sophisticated system that considered last login data from three different sources and information from offboarding tickets within their IT Service Management (ITSM) solution.
- Dynamic Organizational Unit (OU) Placement: New users were assigned to the appropriate OU within AD based on a combination of their user attributes. This dynamic approach ensures users are placed in the correct organizational structure for access and management.
- Seamless Pre-Onboarding: To optimize the onboarding process, user accounts were transitioned from a “pre-hire” status to “active” on their official start date within WD. This allowed the client to “pre-onboard” new employees in WD without prematurely granting access to entitlements.
- Customized Onboarding Workflows: We created unique JML (Just-in-Time Management Logic) rules to accommodate the client's specific onboarding requirements. These rules included generating customized welcome emails and signature configurations based on pre-defined security group memberships within AD.
- Contingent User Management: Separate onboarding processes were established for contingent (external) users to manage their access effectively.
- Least Privilege Admin Access: Request-based workflows were implemented for Saviynt administrators. These workflows enforced pre-defined approvals and followed the principle of least privilege, ensuring secure and controlled access management.
- Streamlined AD Account Management: For users not provisioned through WD, we automated account enablement and expiry directly within Active Directory as part of a separate, approved process.
Automation Strategy
Our automation strategy leveraged Saviynt's core functionalities to streamline various processes.
- Leveraging Predefined Functions for Efficiency:Most of the business logic was implemented directly within the Saviynt UI, which offers pre-defined functions to facilitate rapid development for standard tasks.
- Custom SQL Queries for Complex Logic: For complex conditions, logic, and data transformations, we utilized custom SQL queries against the Saviynt user database. This allowed us to address intricate requirements that fell outside the scope of Saviynt's pre-defined functions.
- Enhanced Integration with Workday: The built-in Saviynt REST connector provided greater flexibility compared to the built-in WD connector when interacting with the WD platform. We configured connections and imported data using custom JSON files.
- Streamlined Writeback to Workday: We streamlined data flow back to WD using Saviynt's built-in SOAP connector. To ensure accurate and efficient data transfer, we created custom JSON files. These JSON files mapped attributes between Saviynt and WD, transformed data as necessary, and even embedded SQL queries for complex tasks. This approach kept Workday user information consistently synchronized with Saviynt.
- PowerShell Script Integration for Specialized Tasks:When necessary, PowerShell scripts were launched directly from the JSON definitions to handle specific tasks related to AD and Exchange. This allowed us to address functionalities that weren't natively supported by Saviynt.
- Custom Java Code for Advanced Functionality: While Saviynt offers pre-defined JML functions for common operations, some situations demanded a higher level of flexibility. In these cases, we either supplemented the functionality of these pre-defined functions or replaced them entirely with custom Java code, tailored to meet our client's specific needs.
- Migrating MIM Rules to Saviynt: Our client had many existing MIM rules. To convert these rules to function within Saviynt, we established a consistent process. First, we analyzed the purpose of each rule. Then, we exported the rules to JSON format. Finally, we manually reviewed the exported files to determine the most effective translation method using Saviynt's functionalities.
About the Author
Brian Read, Chief Technology Officer
[email protected]| Connect on LinkedIn
Brian has over 25 years of extensive experience in the IT industry, focused on managing and growing digital security practices. He has led large identity projects in the federal sector, energy sector, and financial services sectors.