IAM platforms price per user and per feature, so costs scale directly with headcount and capability. Open identity providers — Keycloak, Authentik, Zitadel — remove per-user licensing for self-hosted deployments. IAM is high-stakes, though: it gates every login, so the migration is methodical and app-by-app.
Inventory first
Catalog users and groups, every application’s federation (SAML/OIDC/LDAP) with its metadata, MFA enrollment, conditional-access/policy rules, and SCIM/directory provisioning. Identify application owners — you’ll coordinate per-app cutovers with them.
Stand up the new IdP
Create realms/tenants, configure directory sync (LDAP/AD federation or SCIM import), and recreate each app as an OIDC or SAML client with the right redirect URIs, scopes, and claim mappers. Rebuild MFA (OTP/WebAuthn) and translate conditional-access policies into the new platform’s authentication flows. Set up break-glass admin access before cutting anything over.
Cut over app-by-app
Switch each application’s federation to the new IdP, group by group, running dual-auth (both IdPs valid) during transition where possible. Migrate or re-enroll MFA and verify SCIM provisioning/deprovisioning. Monitor sign-in logs for failures after each app.
Validation & rollback
Test SSO per app (both SAML and OIDC), MFA and policy enforcement, and provisioning/deprovisioning. Keep the source IdP live until every app validates; rollback is re-pointing the affected app’s federation back. Token-refresh and IdP-failover tests round it out.
De-risking
Pilot one representative app end-to-end before the broad rollout, and communicate MFA re-enrollment to users in advance to avoid lockout support storms.
Open a source→target page for IdP-specific steps and a per-user TCO model.