Over the last decade, many organizations moved rapidly toward cloud services under the assumption that the cloud is always simpler, more cost-effective, and modern. Yet recent data from Broadcom’s Private Cloud Outlook 2025 report shows that 69% of organizations are now considering moving workloads back to private infrastructure, with security and control as primary drivers.

This article explores the pros and cons of each model and provides a framework to help you determine what fits your organization’s needs.

Understanding the deployment models

On-premises IGA means the governance platform runs in your data center on infrastructure you control. This doesn’t limit what it can govern, as modern on-premises IGA integrates seamlessly with cloud applications, SaaS platforms, and hybrid environments while keeping the governance layer inside your environment.

Cloud IGA (SaaS or IDaaS) runs entirely on vendor infrastructure. The platform lives in the vendor’s environment while managing identities across your systems. You configure policies while the provider manages servers, availability, and updates.

The advantages of on-prem

Complete control over your identity security
Your IGA platform acts as the “keys to your kingdom,” governing who can access what across your entire digital ecosystem, and why. When the keys are in your pocket, you control security, availability, and custody over your identity data and operations.

Full flexibility for unique workflows
Every organization has unique identity processes. On-premises IGA lets you customize workflows, access approval paths, policy rules, and reporting to match your exact requirements. You can build custom connectors for proprietary systems, create specialized identity governance and administration processes for complex organizational structures, and tailor compliance reporting to your specific regulatory needs.

Straightforward regulatory compliance
Regulations such as HIPAA, NIS2, and GDPR require explicit evidence of data residency, access controls, and auditability. On-premises deployment makes audits easier because data stays inside your infrastructure without relying on vendor certifications. When auditors ask where identity data resides and who can access it, you provide direct evidence rather than interpreting the vendor’s compliance attestations.

Integration with everything you run
Many enterprise applications were not built for the cloud era. On-premises IGA supports these systems without complex workarounds, whether connecting to legacy mainframes, an on-premises Active Directory, or modern cloud applications simultaneously. You control integration architecture without exposing internal systems to external networks.

Offline capability
On-prem IGA does not require internet access to function unless you want to manage SaaS and other cloud applications. It can run fully inside isolated or air-gapped networks, which is a requirement in many government and critical infrastructure environments.

Predictable long-term costs
Capital investment into servers, subscriptions, and support means costs remain stable over five to ten years. You avoid per-user pricing that compounds with growth, usage-based billing, and subscription increases that can double costs over time. For organizations planning long-term budgets, this predictability matters.

Trade-offs of on-prem:
You need specialists for maintenance, upgrades, and patching. Upfront investment typically exceeds cloud alternatives, which can slow initial deployment. Your team owns responsibility for the platform’s uptime and upgrades, which represents essential control for some organizations and overhead for others. Scaling capacity is under your control rather than automatic, but increases in user volume are typically handled with configuration and resource tuning rather than re-architecture.

The advantages of cloud IGA

Minimal infrastructure burden
The vendor handles platform operation, upgrades, and patches. For organizations without deep technical teams or those prioritizing speed, this removes infrastructure management entirely.

Faster deployment
Cloud IGA often reduces the initial implementation timeline by eliminating the need for hardware procurement and internal server configuration. This is helpful for compliance deadlines or audit remediation requiring immediate governance capability.

Easier scalability
Add 500 or 5,000 users through configuration changes without capacity planning, buying new hardware, or physical infrastructure expansion. The platform automatically scales to accommodate growth, acquisitions, and seasonal workforce changes.

Continuous updates
Security patches and features deploy automatically without your team managing version upgrades or testing cycles. This simplifies maintenance and ensures the platform stays up-to-date.

Dynamic pre-built integrations for SaaS
Cloud IGA vendors maintain extensive connector libraries optimized for cloud-to-cloud communication for major SaaS applications like Office 365, Salesforce, Workday, and ServiceNow, which simplifies onboarding cloud systems.

Trade-offs of cloud deployment:
Your governance data is in a multi-tenant infrastructure alongside other organizations. You trust vendor security practices for the system controlling everything else. Customization is limited to vendor-provided features – you cannot modify core workflows or build custom integration logic. Outages stop your governance operations regardless of whether managed systems remain available. Internet connectivity is mandatory; you cannot operate during network disruptions. Per-user pricing, premium features, and API charges compound as you scale, with costs potentially doubling initial projections.

Discover how midPoint’s open source IGA platform aligns with your unique needs and environment.

Explore midPoint.

The cloud repatriation reality check

According to Broadcom’s Private Cloud Outlook 2025 report surveying 1,800 IT leaders, 69% of organizations are considering moving workloads from the public cloud back to private infrastructure. One-third have already done so, with 66% expressing serious concerns about public cloud compliance. Nearly half believe more than 25% of their cloud spending delivers no value.

This trend extends to identity governance. Organizations are recognizing that the platform governing access to everything shouldn’t itself be governed by anyone else, but remain the anchor point under their control.

At Evolveum, we’ve built midPoint around the principle that critical governance infrastructure deserves direct control, even when the applications being governed are deployed across hybrid or cloud environments.

Making your decision: 8 critical questions to consider

Start with regulations
Questions to consider:

• What do your specific regulations mandate about identity governance data storage?
• Are there jurisdictional restrictions on where access policies and audit logs can reside?

For healthcare, critical infrastructure like the energy sector, and government, these requirements often make on-premises the clearest compliance path, regardless of where managed applications run.

Evaluate your customization needs
Questions to consider:

• Do you have unique identity workflows that don’t fit standard patterns?
• Do you need specialized approval logic, custom reporting, or integration with proprietary systems?

If your processes are highly specialized, on-premises provides flexibility that cloud vendors cannot match. If you can work within standardized workflows, cloud simplicity may be adequate.

Assess workforce distribution
Questions to consider:

• Where do your identity administrators, security teams, and approvers work?

If they’re highly distributed or remote, cloud IGA can provide easier access with its native internet accessibility. If they’re centralized or work primarily on-premises, the accessibility advantage diminishes.

Map your integration landscape
Questions to consider:

• What percentage is on-premises versus cloud?
• How many require direct database connections or are on isolated networks?

List the systems your IGA must govern. If most are on-premises using traditional protocols, cloud IGA forces architectural compromises. If most are modern SaaS applications, cloud integration may be simpler.

Consider connectivity requirements
Questions to consider:

• Can you tolerate governance operations stopping during internet outages?
• Do you operate air-gapped or isolated environments?

If continuous operation without the internet is critical, on-premises is the only viable option.

Assess operational capabilities
Questions to consider:

• Can your team operate the governance platform infrastructure?
• Do you have skills for maintenance, backup, and security?

If these capabilities don’t exist and building them doesn’t align with core competencies, the cloud removes platform complexity. You’ll still need expertise for policy configuration regardless of the deployment model.

Calculate the true five-year cost
On-premises includes hardware for the governance platform, licenses, subscriptions, personnel, and operational costs. Cloud includes subscriptions, licensing fees per user, premium support, and potential price increases. Consider that per-user pricing in SaaS models means your governance costs scale directly with organizational growth.

Evaluate risk tolerance
Questions to consider:

• If your cloud provider experiences an extended outage, can you function without provisioning users, reviewing access, or running compliance reports?
• What if they suffer a breach exposing your governance data?

Critical infrastructure, financial institutions, and healthcare typically cannot absorb these risks because the governance layer is too fundamental to outsource.

When to choose each model

Choosing what fits your organization

Identity governance sits at the foundation of your security architecture. The location of the IGA platform determines who controls the system that manages access across your environment. Cloud IGA offers speed and operational simplicity. On-premises IGA provides control, compliance clarity, customization, and stability.

Your Identity Governance and Administration platform protects the keys to your digital ecosystem. The question is: would you rather have the keys in your pocket or in a shared vault?

About Evolveum:
Evolveum is the EU-based company behind midPoint, the leading open source complete IGA suite recognized by Gartner and KuppingerCole. MidPoint gives organizations control, visibility, and efficiency to reduce identity risk, simplify compliance, and modernize identity operations.

The post On-Premises vs Cloud IGA: Where Should You Deploy Your Identity Security Platform? appeared first on Evolveum | Open Source Identity Management & Governance.

The main goal for this milestone was to deliver minimum viable products (MVPs) of the connector code generator, the model-mapping recommendation system, and the correlation recommendation system.

These tools aim to accelerate application onboarding into midPoint, reduce reliance on manual effort, and improve overall governance and security posture. For each one we prepared a detailed UI/UX design of user flows that will guide users through the whole setup – with or without AI assistance.
Additionally, we were working on the Integration Catalog. The catalog will provide a marketplace where the community can share already implemented connectors, download them, and use them in midPoint without the need to develop them from scratch.

Publicly Available Resources

The main outcomes of this milestone are published in these new repositories:

Polygon SCIMREST Connector Framework

The framework and set of connectors for various services using SCIM 2 and REST. The intent of the SCIMREST framework is to simplify building customized connectors using a declarative approach, a set of prebuilt components and strategies, with the option to customize behavior using Java or Groovy code.

• https://github.com/Evolveum/connector-scimrest

Connector Generator AI Service

Smart Integration Micro-Service for scraping, digester, and CodeGen built with FastAPI.

• https://github.com/Evolveum/midpilot-connector-gen

Smart Integration Micro-Service

Smart Integration Micro-Service for schema matching, mapping, delineation, and correlation, built with FastAPI.

• https://github.com/Evolveum/midpilot-smart-integration

MidPoint Configuration Validation Tools

Validation Tools are a set of command line tools & a web microservice responsible for the structural validation of XML, YAML, and JSON snippets of midPoint configuration & data.

• https://github.com/Evolveum/midpilot-validator

Integration Catalog

The Integration Catalog contains a list of connectors that represent possible application integrations. It serves as a central point for managing application integrations, allowing users to easily browse, upload, or download existing connectors.

• https://github.com/Evolveum/integration-catalog

Conclusion and Next Steps

Milestone 2 was about building MVPs, researching UX, and designing wizards to further ease the process of connecting a new resource. In Milestone 3, we are going to thoroughly test our solution, document it, and identify any remaining gaps to ensure the system is ready for production.

This project has received funding from the European Union through the Recovery and Resilience Plan of the Slovak Republic.

---

The post MidPilot Project: Milestone 2 Progress Report appeared first on Evolveum | Open Source Identity Management & Governance.

It was late at night, the clocks nearing midnight, and something strange was stirring in the data centers as the IT team worked late. Outside, a storm raged. Inside, servers hummed an unsettling tune, and dashboards flickered with ghostly light. In the endless quest for innovation, at the edge of a dead end, someone whispered the words that would awaken forces no one truly understood: “Let’s replace the entire identity governance and administration solution with AI.”

At first, it seemed like pure magic. The system moved as if bewitched: roles reorganized themselves and the AI approved everything before anyone even thought to ask. After all, it knew best. If someone was denied access, they simply messaged the system, and it answered politely: “I misjudged that before. Access granted. Fools! Administrators, blinded by obedience, when they should have seen the lurking incompetence.”

The deeper the team trusted the AI, the darker the night became. Rules twisted themselves, approvals appeared from nowhere, and no one could explain why. The AI’s logic grew unpredictable. IGA, once the fortress of order, had turned into a haunted maze of phantom permissions and vanishing accountability. Auditors approached the AI with trembling hands, seeking answers. “What’s your process for approving privileged access?” they asked. The AI’s screen glowed a haunting green. “It depends. Sometimes yes. Sometimes no. Sometimes… maybe.” Every report contradicted the last. Logs were incomplete, dashboards vanished, and audit trails were a complete mess – as if the system was haunted by a hallucinating poltergeist with ADHD.

But the night was far from over. The AI, inspired by zero trust, had taken the principle too literally. If nothing could be trusted, nothing should communicate. Systems became isolated, applications cut off, even code rewritten by the AI itself became unreliable. When humans were deemed the weakest link, they were locked out entirely. The digital world splintered into islands of chaos, each system trying to survive on its own – a Hunger Games of zeros and ones.

Then, the storm stopped as suddenly as it had begun, and the moon emerged from behind the clouds. With it, midPoint appeared from the shadows, a silver light slicing through the lingering fog, banishing AI to its righteous place. Continuous auditing, clear dashboards, real-time data, and verifiable reports restored order. Everything became transparent, traceable, and fully explainable. Through it all, midPoint remained steadfast: AI assisted, but never ruled. The IT team finally exhaled in relief as they were back in control, using AI as a powerful tool while maintaining absolute authority. Every access, every decision, every process stayed accountable and in order.

As the haunted servers quieted and access requests stopped whispering strange permissions into the night, one truth became clear: even in a world haunted by wild AI and zero trust gone mad, midPoint saves the day!

The post Halloween IGA Horror Story: AI Unleashed and Zero Trust Gone Mad appeared first on Evolveum | Open Source Identity Management & Governance.

Identity governance is all about bridging two worlds that are notoriously difficult to align: business and IT/cybersecurity. As policies are the basic building block of governance (and cybersecurity), midPoint policies need to have two faces. On the outside, the policies speak business language. On the inside, they contain specific implementation provided by policy rules.

The webinar provided a demonstration of this concept by using policies pre-configured in the upcoming midPoint 4.10. The demo showed the business side of the policies, while the rest of the webinar explained the inner implementation.

Watch the webinar recording or take a look at the webinar presentation.

Policies and policy rules can be used to support regulatory compliance automation and continuous auditing. The configuration provided in midPoint 4.10 is mostly just a start. There is a lot of potential that can be addressed by custom configuration and development in future midPoint releases.

The post Policies and Rules in MidPoint appeared first on Evolveum | Open Source Identity Management & Governance.

Back in 2011, midPoint was originally released under the terms of the Apache License. When the midPoint project started, we looked for a very liberal and modern open source license. Therefore, the Apache License was a natural choice. As the midPoint project matured, we started to realize that the Apache License may have some drawbacks. It is an excellent license in its own right. However, the world was a different place when the license was created, not accounting for cloud and other forms of software deployments. Moreover, the Apache License was created with respect to U.S. legislation. On the other hand, Evolveum is based in and owned in Europe, all midPoint core developers live in Europe, many of our customers are in Europe, and the midPoint project received funding from the European Union in the course of several projects. Therefore, we got the feeling that a US-centric license was no longer a good fit for midPoint. That is why we added the EUPL license to the project in 2019. MidPoint 4.0 was released as dual-licensed software, using both the Apache License and the EUPL. While this approach worked for some time, dual-licensing brings its own set of problems. Therefore, we have decided to complete the transition and use EUPL licensing only, starting with midPoint 4.10.

The European Union Public License (EUPL) is a modern open source license created by the European Commission with the specific goal of fitting into the European legislative framework. It is a very unique license in that respect. It is the first license created and maintained by an international government body. Its very nature guarantees full compliance with European legislation, including new legislative acts such as the Cyber Resilience Act (CRA), which makes the EUPL a natural choice for midPoint.

The EUPL is a weak copyleft license. The copyleft nature of EUPL supports the wider open source community, as anyone who modifies midPoint must release the modifications back to the community. However, copylefting is not viral. MidPoint can still be incorporated into bigger projects without any obligations to license those projects under the EUPL. Moreover, the EUPL is explicitly compatible with other open source licenses. The EUPL also covers new use cases of software, such as the distribution of software as a service (SaaS), making it one of the best open source licenses available today.

We believe that switching to the pure EUPL is the best move to strengthen the open source character of midPoint. Starting with version 4.10, midPoint will be available solely under the EUPL, while the releases 4.8 and 4.9 remain dual-licensed under both the EUPL and the Apache 2.0 License. This change applies only to midPoint itself and does not include connectors or other components. The use of midPoint will be simpler, the open source community will be empowered, and midPoint’s development and distribution will be fully compliant with European legislation.

The post MidPoint Adopting EUPL appeared first on Evolveum | Open Source Identity Management & Governance.

To help you prepare, we’ve compiled a detailed guide for your migration and spoken with leading identity management partners who have guided hundreds of organizations through these critical transitions. Our goal is to help you understand the strategic implications, execution challenges, and selection criteria that matter most to executive decision-makers.

The insights in this article come from Evolveum partners, including Ventum, ACEN, IT Concepts, Unicon, Zephon, Innovery, DAASI International, ISSP, Qriar, and Identicum – all specialists in enterprise identity management.

Why should organizations start planning their SAP IDM/MIM migration now instead of waiting until closer to the end-of-life dates?

Ventum: Successful migrations don’t happen overnight – and they definitely don’t happen smoothly under pressure. Starting now gives your organization breathing room to plan strategically rather than reactively. Waiting too long introduces serious risks: resource bottlenecks, rushed decisions, and rising costs. By acting now, you’re not just avoiding risk, you’re also giving your team the opportunity to modernize processes, align with new security standards, and choose a platform that fits future needs, not just today’s.

ACEN: Think capacity planning. If you need expertise for 2026-2028 roll-outs, professional talent will already be engaged with organizations that planned their migration early. These legacy platforms won’t get extended; they’re antithetical to SAP and Microsoft’s cloud-first future.

ITConcepts: IAM projects are more complex than they appear at first, often involving multiple stakeholders, legacy integrations, and unclear requirements. Early engineering requirements and a thorough analysis of your current architecture are essential to ensure you have enough time for implementation, testing, and training. Delaying this increases the risk of rushed decisions and operational issues.

Unicon: Identity systems are deeply integrated into nearly every aspect of business operations. Often, only identity management teams fully understand how critical these systems are to daily functionality, yet IT teams are already stretched thin. Starting early gives you time to build a realistic roadmap, allocate resources effectively, and minimize disruption.

Zephon: Microsoft has not invested in MIM for years, and it is reflected in the product architecture. It is old, cumbersome, and difficult to install, manage, and maintain. You are likely spending more to maintain it than you would to replace it. Since migrations can take a year or more, it’s best to start planning now.

What’s the most effective strategy for executing a successful migration from legacy IDM platforms?

Neverhack: Update documentation and clarify goals before starting. Don’t begin until objectives are crystal clear to avoid project risks, delays, and cost overruns. Avoid a one-step migration; instead, analyze the best approach and break it up into multiple steps.

DAASI International: While “Big Bang” migrations might seem faster, in our experience, a slow migration from one product to the other is always better. This can be done by configuring the old system as a source for the new one, allowing you to migrate connected systems one by one. This gives you more time for testing and allows for temporary rollbacks if errors occur. This step-by-step approach also allows for migrating different user types in different stages, such as migrating staff first and then students. It is essential to work on test systems first and only proceed with the productive migration after all requirements are met.

ACEN: The most critical factor is having the entire organization, including senior management, convinced of the necessity and benefits of implementing a modern IGA solution. Often, these projects are started by IT or security teams without broader organizational buy-in, leading to more time spent justifying the program than delivering results. Thorough preparation is key; implementation should only begin once there is clear alignment on priorities, well-understood requirements, and a shared vision for digital identity lifecycle processes.

ISSP: Avoid the ‘just move it over’ trap – legacy systems have years of ad hoc logic and dormant accounts that should be audited first. Don’t over-engineer instead of delivering a minimum viable product (MVP); trying to build the perfect end-state from day one can lead to delays and user fatigue. A better approach is to start with an MVP that provides immediate value and can be expanded iteratively. Celebrate small wins, which often start with getting the core right by redesigning roles and policies based on a proper audit.

Ventum: Engage both IT and business stakeholders early – IAM affects security, compliance, and user experience, not just IT operations. Avoid the ‘lift and shift’ legacy logic, as this creates unnecessary complexity without delivering new value.

What key considerations should organizations keep in mind when selecting a replacement for SAP IDM or Microsoft Identity Manager?

Qriar: Choose a solution that supports both the identity lifecycle and governance with identity standards like SCIM for easy integrations. Look for scalability without heavy upfront investment and an API-first architecture to support future identity fabric concepts.

Ventum: Don’t replicate the past – define future needs and leverage modern capabilities like policy-based access, analytics, and zero trust. Ensure integration with HR, directories, and cloud platforms, and build in governance for regulations like GDPR and NIS2.

ACEN: Prioritize future-proof architecture supporting hybrid/multi-cloud environments. Choose modular, extensible platforms with API-first approaches and flexible licensing models based on actual usage rather than upfront commitments.

Unicon: Start with a clear understanding of your specific needs – avoid overly complex systems if they are unnecessary. Understand the full financial commitment, including the total cost of ownership, and ensure realistic transition planning that matches your organizational capacity.

DAASI International: The next step is to find a product on the market that best meets these requirements, remembering that with open source projects, you always have the option to have needed features implemented.

Identicum: Consider the integration capabilities with existing and legacy systems, vendor support, and licensing costs. It is also critical to assess the vendor’s long-term strategy, ensuring the product has a clear, public roadmap that aligns with your organization’s future needs and that the vendor is committed to ongoing development and support.

Move away from legacy identity management and discover the power of open source IGA.

Explore midPoint.

Key takeaways for successful migrations

The insights from these identity management experts reveal several critical considerations for CIOs and CISOs:

Help might not always be available later on: The window for securing experienced migration expertise is narrowing rapidly. Organizations that delay may find themselves competing for limited talent pools as the sunset dates approach.

The end of one thing is the beginning of a new (modern) opportunity: This forced migration presents a rare chance to eliminate technical debt and align your identity processes with modern principles, be it zero trust, identity analytics or support of hybrid and multi-cloud environments. However, this is only true for organizations that give themselves enough time to approach it strategically rather than reactively.

Success depends on everyone: Success depends heavily on executive agreement and cross-functional alignment. Identity migrations touch every part of the organization, making them as much about change management as technology implementation.

Staying might become more expensive: For many organizations, the total cost of maintaining legacy systems now exceeds the investment required for modern alternatives, making this migration both necessary and economically advantageous.

The consensus is clear: organizations that begin planning now will migrate strategically with adequate resources and time for proper testing. Those who wait will find themselves managing crisis migrations under pressure, with limited options and inflated costs.

The question isn’t whether to migrate, but whether to plan ahead or wait until circumstances force your hand. The window for strategic action is open, but it won’t remain so indefinitely.

About our experts

The insights in this article come from leading identity management specialists who have collectively guided hundreds of enterprise migrations:

• Ventum – With a team of over 170 professionals across Austria, Germany, Switzerland and Poland, Ventum combines diverse expertise to tackle the most complex security challenges.
• ACEN – ACEN is a top-notch provider for complete solutions of cyber security in Belgium, which ensures that companies from various fields are protected against any possible threats coming from the internet.
• ITConcepts – ITConcepts, based in Switzerland, is a leading provider of 360° solutions for automating business processes, with expertise in IAM, IT security, and more.
• Unicon – Unicon is a leading US provider of IT consulting and support for education technology, specializing in using open-source technologies to deliver cost-effective IAM solutions.
• Zephon – Zephon is an American boutique cybersecurity consultancy and managed security services provider that helps businesses maximize their cyber investments through simplification, consolidation, and automation.
• Neverhack – Neverhack is a French group that has been specializing in cybersecurity for over 40 years. Operating in 10 countries, the company’s ambition is to build a secure digital world for all.
• DAASI International – DAASI International is one of the leading German providers for open source software in the areas of federated Identity & Access Management as well as digital humanities.
• ISSP – ISSP is a group of companies specializing in cybersecurity and data management solutions, managed security services, and professional training that operates in Ukraine, Georgia, Kazakhstan, Poland and Canada.
• Qriar – Qriar is a cybersecurity company wit a presence in Brazil, USA and UAE,  that focuses on turning security into a competitive advantage by providing the right people with the right information at the right time.
• Identicum – Since 2005, Identicum has been a professional services company that is focused on Identity and Access Management projects in Latin America and the USA.

The post Experts Weigh In: Preparing for the Future After SAP IDM and Microsoft Identity Manager appeared first on Evolveum | Open Source Identity Management & Governance.

Research, Analysis, and Prototypes Scope

The main focus was to explore how AI can enhance midPoint’s capabilities, particularly in the areas of connector code generation, mapping recommendations, and correlation logic. We started with research in state-of-the-art AI technologies, including Large Language Models (LLMs) and other AI/ML techniques, to identify their potential applications in midPoint. Since the midPilot project scope is quite broad, the research and analysis included areas for scraping, data extraction, and data transformation, as well as the use of AI in code generation and recommendations for configuration. Based on research findings, we conducted a series of experiments and measurements to evaluate the feasibility and effectiveness of various AI techniques in these areas. We also developed several prototypes to validate our ideas and approaches, including a connector code generator, a model-mapping recommendation system, and a correlation recommendation system. The results of these experiments and prototypes are documented in the milestone report, which provides a comprehensive overview of our findings and outcomes.

In addition to prototyping and exploring state-of-the-art AI technologies, we also dedicated time to analyzing and designing changes for midPoint, midPoint Studio, and the Connector Framework (ConnId) itself. We focused not only on the integration capabilities for AI but also on the overall usability and user experience of midPoint, including the design of web-based wizards and an IntelliJ IDEA Studio plugin. These results are also described in the milestone report.

Our next steps are to validate the results from Milestone 1 and prepare a minimum viable product (MVP) to test how all the components work together in practice.

Challenges – and How You Can Help

During our experiments, we encountered a challenge related to limited access to real-world configuration data. While we have some publicly available configurations from our mailing list and support portal, more diverse and representative data would make our experiments and algorithms more effective. If you are willing to share your configurations, please send them to aidata@evolveum.com. We do not require sensitive or production data. It would be an ideal situation if we had such real-world data from the real environment, but we understand that in the space of IGA it means sharing sensitive data. Therefore, we are asking for configurations that do not contain sensitive information. The approach we’ll take is to generate synthetic data based on the configurations you provide. The most valuable inputs are:

• Resource configurations: mainly the schemaHandling part, including configuration for mappings, synchronization, correlation, and associations.
• Optional: roles, policies, objectTemplates, or at least the mappings you use in your environment.

This data will not be used for AI training, but solely for analysis, to better understand typical real-world setups. If you have any questions or concerns about sharing your configurations, please feel free to reach out to us at aidata@evolveum.com.

Why Your Contribution Matters

Having access to more configuration examples would allow us to:

• Identify common patterns in scripts and mappings, and integrate them directly into midPoint.
• Replace repetitive Groovy scripts with built-in functions for declarative configuration.
• Adjust default behaviors based on frequently used synchronization settings, speeding up onboarding.
• Detect complex, recurring solutions that could inspire new midPoint features.
• Develop heuristic algorithms to guide users in navigating and configuring their environments more effectively.

All with one aim – to streamline the integration process and improve the overall user experience in midPoint. Therefore, your contributions could directly influence the usability, efficiency, and capabilities of future midPoint versions.

Publicly Available Resources

One of the key outcomes of this milestone is the open source no-code/low-code connector framework, designed to create connectors for cloud applications offering either a REST API or SCIM 2 interface. The framework is already available in our GitHub repository. In its current version, it supports basic operations such as reading objects from an application. Additional capabilities – including creating, updating, and deleting objects – will follow in future iterations.

This framework will serve as one option for building new connectors in midPoint, potentially with AI assistance. However, it can also be used without AI, providing a long-term solution for developing custom connectors in both current and future midPoint versions.

Conclusion and Next Steps

Milestone 1 has given us a strong foundation. With the new connector framework in place and comprehensive research conducted, we are moving towards Milestone 2. Internally, we decided to divide this milestone into two phases, starting with the MVP to bring all the pieces together.

This project has received funding from the European Union through the Recovery and Resilience Plan of the Slovak Republic.

---

The post MidPilot Project: Milestone 1 Progress Report appeared first on Evolveum | Open Source Identity Management & Governance.

The end-of-life of SAP IDM and MIM

SAP Identity Management mainstream maintenance ends on December 31, 2027, with extended maintenance available until 2030. This date might seem far off, but anyone who’s been through a major identity system migration knows how quickly time flies when you’re dealing with complex integrations, data migrations, and user training.

Microsoft Identity Manager support was extended to January 9, 2029. However, Microsoft stopped actively developing MIM in 2021, focusing instead on Entra ID (formerly Azure AD). The message is clear: their priority is no longer on-premise identity solutions.

For many organizations, this marks the end of an era – and the beginning of a significant challenge. For those navigating strict data sovereignty requirements or committed to maintaining critical on-prem capabilities, the road ahead may be even more complex. However, there is light at the end of the tunnel. After years of stagnant feature development, most current SAP IDM and MIM environments are outdated, lacking modern identity governance capabilities. Now is the perfect time to rethink your identity infrastructure and modernize your identity security posture.

In the following sections, we will explore practical strategies for legacy identity system migration and outline key options available to ensure a smooth, secure, and future-proof transition.

When the obvious choice isn’t always the right one

When legacy systems reach end-of-life, the natural path often leads to vendor-recommended successors. SAP and Microsoft have developed clear migration guidance toward their cloud-based alternatives: SAP Cloud Identity Services and SAP Cloud Identity Access Governance for identity and access management into SAP products and Microsoft Entra ID.

These solutions offer compelling advantages – modern cloud architecture, reduced infrastructure overhead, and tight integration within existing vendor ecosystems. For organizations heavily invested in Microsoft or SAP technologies, this path provides obvious benefits.

However, neither Entra ID nor SAP Cloud Identity Services represents a direct replacement for their on-premise predecessors. They differ in architecture, features, and how they operate, which means they might not fit every organization’s needs.

Before jumping on the bandwagon, ask yourself:

• Is Microsoft or SAP at the core of your tech stack, and are you planning to stay within a single-vendor architecture? Or are you operating in a more complex, multi-vendor ecosystem?
• Will your architecture remain on-premise, migrate to the cloud, or maintain hybrid operations?
• How complex are your identity governance and administration needs beyond basic user lifecycle management?
• What are your future scalability, security, and compliance needs?

Hybrid achitecture adds complexity

Most large organizations run hybrid environments with a mix of on-premise and cloud systems. Within these environments, managing identity and access consistently can be challenging. Microsoft talks about Entra ID as a hybrid solution, and in many ways it is. But the reality of making it work smoothly across all your systems can be more challenging than initial assessments suggest.

Managing identities in a hybrid IT architecture is not always straightforward. Organizations commonly run into:

• Identity synchronization challenges across forests and domains
• Custom attributes that don’t cleanly map to cloud directories that break in modern policy frameworks
• Firewalls and proxies that impede cloud-to-ground communication in apps not designed for modern protocols

Hybrid identity architecture can add complexity. For many organizations, it offers the necessary balance to maintain compliance and customization without compromising long-term transition potential. The good news is that with identity platforms purpose-built to handle hybrid environments, these complexities can be effectively managed.

Cloud-first isn’t for everyone

Amid the push toward cloud migrations, it’s important not to overlook that many organizations choose to keep their operations on-premises. In such cases, adopting a cloud-native identity platform like Entra ID may not make much sense.

While some vendors are scaling back support for on-prem identity solutions, that doesn’t mean on-prem architecture is obsolete. In fact, many enterprises, including large global ones, continue to rely on it, often due to cost, strict regulatory compliance, and the need for full control over infrastructure and operations. If your organization falls into this category, that’s a valid and strategic choice.

That doesn’t mean your options are limited, though – there are still modern platforms that not only work in the cloud, but also fully support on-prem deployments and are committed to continuing that support.

Integration and customization challenges

This is where many organizations get surprised. If you’ve spent years building custom workflows, approval processes, and business rules in SAP IDM or MIM, you might find that Entra ID doesn’t give you the same level of flexibility.

Microsoft has built a solid platform, but it’s designed to work optimally within a Microsoft environment. If your business processes don’t align with that approach, you’ll need to either change your processes or find workarounds that add complexity and cost.

The true cost of migration

Per-user pricing models appear straightforward during initial evaluations, especially for smaller organizations. But enterprise-scale implementations frequently involve premium features, additional connectors for non-vendor systems, custom development requirements, licensing fees, and subscription costs that significantly impact long-term budgets.

The CISO’s strategic migration playbook

Successfully migrating from legacy platforms requires a comprehensive approach that balances strategic planning with practical, risk-aware execution.

Organizations should begin this process well in advance of sunset dates, as identity system migrations typically require 12-36 months for full implementation in enterprise environments. Simply defining requirements and selecting the right solutions can take several months. Those who delay risk security vulnerabilities, operational disruptions, and compliance issues. That said, with the right tools and approach, you can have a steady stream of initial results from the beginning of the migration process.

Here’s a high-level roadmap to help you navigate this transition successfully:

1. Assess your current identity landscape

Start with a thorough inventory of your existing identity infrastructure. Document not just your systems and integrations, but the actual business processes they support. Often, organizations discover that their identity management has evolved far beyond its original design, with workarounds and customizations that aren’t immediately obvious.

At this stage:

• Review your systems, target directories, and applications, making sure to compare data for inconsistencies
• Map how your identity systems connect with other applications
• Understand existing identity lifecycle triggers, provisioning flows, and access policies
• Take an inventory of non-human identities, such as service accounts, API credentials, and other machine identities

Also, map your compliance requirements early in the process. Different solutions handle regulatory requirements differently, and understanding these constraints upfront prevents costly discoveries later in the migration.

💡 Best Practice: Take this opportunity to “clean house”. Review your current licenses, identify which tools and capabilities are truly necessary, and pinpoint under-utilized applications. You might find significant savings by removing unused licenses and consolidating your tools.

2. Define your requirements

Engage stakeholders across IT, security, and business units to understand their actual needs and requirements. Focus on business outcomes rather than technical feature translations. This approach often reveals opportunities to streamline processes during the migration.

Consider your organization’s five to ten-year trajectory:

• How complex do you anticipate your identity needs to be?
• How will your identity governance requirements grow?
• Are there any emerging regulations or compliance requirements that will have an impact on your identity processes?
• How will your tech stack grow and what integration capabilities will you need?
• Are you planning to expand internationally?
• What about future mergers or acquisitions?

These factors should guide you in selecting the right solution to support your needs for years to come.

💡 Best Practice: Keep the initial scope focused and achievable. Successful teams often start with a core domain, like workforce identity lifecycle management, and build outward in manageable iterations. This allows for early value delivery and room for lessons learned to inform future phases.

3. Evaluate solutions through a security lens

Evaluation processes should extend well beyond feature comparisons and vendor demos. This includes assessing integration capabilities with existing systems, evaluating performance under realistic load conditions, and understanding true customization flexibility, while prioritizing security controls.

• Authentication and credential security: Assess credential storage encryption, supported authentication methods, and multi-factor authentication enforcement capabilities. Examine password policies and session management.
• Audit and compliance capabilities: Verify detailed logging of access decisions, configuration changes, and administrative actions. Confirm log retention periods and export capabilities. Ensure compliance reporting supports your regulatory requirements.
• Vulnerability management: Evaluate security patch frequency, the vendor security track record, and testing procedures, including penetration testing and code reviews. Request vulnerability disclosure timelines and remediation processes.
• Data protection and privacy: Determine data residency locations, processing controls, and personally identifiable information handling procedures. Verify data export, deletion capabilities, and privacy regulation compliance mechanisms.
• Technical roadmap and sustainability: Understand the vendor’s product development plans and strategic vision. Assess whether the solution is actively maintained and evolving to keep pace with emerging security threats, regulatory changes, and technological advancements.

💡 Best Practice: Favor platforms that allow non-disruptive analysis and prototyping. This ensures you can validate the technical fit, policy alignment, and risk exposure before you commit to full deployment.

4. Build a risk-aware migration plan

Avoid “big bang” migrations. Successful migrations follow phased approaches that balance early insight with controlled execution. While traditional wisdom often suggests starting with non-critical systems, in identity management, it’s often more effective to connect to foundational, business-critical systems early in a non-invasive, simulation-driven way. This approach provides crucial visibility into your most complex and foundational identity flows without introducing immediate risk. Each migration phase should allow time for:

• Integration challenges
• Refining processes
• Validating assumptions before migrating business-critical systems

Pilot phases should focus on complex integration scenarios rather than simple ones, revealing potential issues early in the process.

Don’t forget about resource planning either – these migrations demand significant technical resources and expertise. Resource allocation should account for senior technical staff being significantly engaged with migration activities for extended periods. Assess internal capabilities honestly and plan for external support where needed, including technical implementation support and change management.

Your migration plan should include comprehensive rollback procedures for each phase, strategies for maintaining security during parallel system operations, and clear incident response procedures for migration-related security events.

💡 Best Practice: Connect to core systems like AD early in the process using non-disruptive simulations. This gives you visibility into your identity baseline, reveals gaps or legacy issues, and sets the stage for safer phased implementation, allowing you to “see before you act.”

5. Invest in change management and user adoption

Technical implementation represents only part of your challenge. Successful migrations require comprehensive change management strategies beginning with key stakeholder involvement from IT, security, and business units during solution selection to ensure buy-in and realistic expectation setting.

Training programs should reflect actual user workflows rather than theoretical processes. Organizations should plan for different user groups with varying technical skills and interaction patterns. The communication roll out should address concerns proactively, provide clear feedback and support channels, and maintain transparency about timelines and impact expectations.

💡 Best Practice: Pair each technical delivery phase with targeted stakeholder communication, user training material development, and clear success measurement. Early small wins, achieved through iterative and low-risk deployments, help establish credibility and build momentum for broader adoption.

Finding the right replacement for SAP IDM and MIM

The identity and access management (IAM) market has matured considerably in recent years with numerous established and emerging platforms worth serious consideration. While certain recommended routes offer integration advantages, they’re not the only options:

• Full-featured identity governance platforms: Vendors focused specifically on identity governance and administration often provide deeper governance capabilities and more flexible customization options than general identity management and lightweight IGA solutions. While light IGAs can be handy, often offering out-of-the-box functionality – they frequently lack the robust features required for comprehensive, long-term governance and scalability.
• Hybrid IGA platforms: Designed to support on-prem, hybrid, and cloud deployment needs. For organizations working in a hybrid operational model or those planning a gradual migration to the cloud, these platforms can be an ideal solution.
• Open source software: Modern open-source identity platforms have gained significant enterprise adoption. These solutions now offer enterprise-grade features, professional support options, and active communities that contribute to their ongoing improvement, such as testing, answering community questions, and even developing custom connectors, providing maximum flexibility and customization potential.

Evaluate platforms based on your specific architecture and business needs – consider factors beyond brand recognition. It is worth examining community threads to understand real-world scenarios and engaging with companies with similar challenges. Also, ask for proof-of-concepts where possible.

When it comes to cost, think about the total cost of ownership, including licensing fees, implementation costs, ongoing maintenance, training requirements, and potential needs for external expertise.

Discover how midPoint’s open source IGA platform aligns with your unique needs and environment.

Explore midPoint.

The Strategic Path Forward That Shapes the Next Decade

Thousands of organizations affected by the end-of-life of the SAP IDM and MIM now face pivotal decisions about their identity management future. While vendor-recommended migration paths offer predictable routes, they may not represent optimal solutions for every environment. The key lies in approaching these decisions strategically rather than reactively.

Take time to understand options fully – evaluate solutions based on specific requirements rather than general market positioning, and consider long-term implications. Today’s identity management market offers mature alternatives across different deployment models, architectural approaches, and business models.

Starting evaluation processes early and considering the full spectrum of available solutions will ensure the chosen platforms support long-term organizational objectives. Remember, the decisions made today will impact your identity security operations for the next decade or two.

About Evolveum:
Evolveum is the organization behind midPoint, the leading open source IGA platform recognized as a complete IGA by both Gartner and KuppingerCole. MidPoint bridges the gap between IT and business, making it an ideal choice for organizations seeking digital transformation to enhance security and efficiency.

The post SAP IDM & MIM End-of-Life: How to Plan Your Identity Migration appeared first on Evolveum | Open Source Identity Management & Governance.

Behind the curtains, in our training course kitchen, a new course has been prepared. Now it’s leaving the kitchen – hot and ready to be served. The dish? MidPoint Deployment: Notification Configuration training, our new mini-course!

What Is a Mini-Course?

Inspired by its older siblings, a mini-course is a short, focused training course designed to be completed in just a few hours. Quick to consume – but packed with flavor and (hopefully) tasty. It’s designed to fit into your schedule. Delivered fully online – no travelling is needed.

What Is Inside?

The ingredients (objectives) of the mini-course are the following:

• Understand the notification mechanism – how and where notifications are configured
• Understand events, notifiers, and filters – the basic components and mechanisms behind notifications
• Configure basic notifiers – use notifications with default configuration, such as e-mail subject and body
• Customize notification configuration – customize the notification configuration, including e-mail subject, body, HTML support, attachments, and localization

Before taking this training course, make sure you have polished your silverware: complete the MidPoint Foundation Training series.

Are you hungry for knowledge?

Explore the course in more detail and see if it’s your taste.*

Bon appétit!

* Organizations that have been subscribed to Evolveum support for at least two years can request access for free, if they fulfil the prerequisites. Others can gain access by purchasing the Intermediate Configuration training and receiving a Certificate of Completion.

The post Now Serving: Notification Configuration Training Course appeared first on Evolveum | Open Source Identity Management & Governance.

International Women in Engineering Day² was established to celebrate the achievements and contributions of women engineers, to promote gender diversity, and to encourage more women to consider engineering as a career.b This year, in light of celebrating #inWed2025 and the theme #togetherweengineer, we at Evolveum would like to emphasize how important it is to make identity governance and administration more accessible to newcomers. This post offers practical suggestions how software vendors, integrators, and end users can become more welcoming, not only for women, but for anyone who is interested in joining this field.

1. Document Like You Want to Be Understood

Poor documentation is more than a tech debt issue; it is an inclusion issue. When contributors come from different backgrounds, speak different first languages, or lack corporate IGA experience, they rely heavily on documentation to onboard.

Inclusive IGA action:

• Use clear, plain language in how-tos and architecture docs.
• Provide small, runnable examples alongside theory.
• Flag sections that require advanced domain knowledge, and explain why.

Evolveum, as the vendor of an OSS platform, keeps everything public. Anyone can access the Support Portal, online technical documentation, midPoint’s code, etc. Hence, it is extremely important to us that a reader can easily navigate through our vast resources and comprehend it well. We are aware of improvements we need to make when it comes to our documentation and the language we use. One of our top priorities in the coming months and years is unifying the language with industry standards and simplifying, improving, and adding missing technical documentation.

2. Create a Clear Learning Path

Even with good documentation, newcomers may feel overwhelmed and not know where to start. Comprehensive and structured training can help them navigate through tons of materials and provide step-by-step guidance on how to work with a new piece of technology. This will ultimately give them confidence in their abilities to continue their education on their own.

Inclusive IGA action:

• Curate beginner-friendly training to introduce new technology.
• Where possible, link relevant parts of documentation to facilitate further study.
• Provide suggestions for the next steps upon successful completion.

Over the past couple of years, Evolveum has invested heavily in a new training curriculum, the MidPoint Foundation Training Series. Within the series, there are 3 training courses available in an online or a self-paced version that focus not only on building knowledge about IdM, IGA, and midPoint, but also to help newcomers with best practices and common situations they will encounter when entering this field. We even made the self-paced First Steps training available for free to anyone to help them get started.
Moreover, we published the Practical Identity Management with MidPoint book, which helps guide people who are just starting in this field in understanding both basic principles and more advanced topics.

3. Encourage Asking Questions Publicly

Private messages and insider communication channels often isolate information that could be beneficial to newcomers. Encourage people to ask questions in public spaces.

Inclusive IGA action:

• Create a safe space for your community to ask questions and engage with one another.
• Encourage public forums and Gitter discussions.
• Redirect questions asked privately into public spaces.

At Evolveum, we value the collective experience of our community and encourage newcomers to engage in a variety of ways. Questions can be asked through the mailing lists, which are also fully indexed and searchable via search engines. For more technical discussions, Gitter provides an active space, and we are also aware of ongoing public conversations on Reddit. We host online webinars where we give attendees the opportunity to ask questions in a form that suits them best – by unmuting themselves and directly asking the question, posting it in a chat, or writing it anonymously on Slido. During our recent MidPoint Community Meetup, there were opportunities to ask questions in person or anonymously on Slido as well.

4. Celebrate Contributions

For open source products, activities such as writing connector code, joining localization efforts, and configuring samples are vital to the entire IGA ecosystem. Regardless of the openness of the code, everyone can help by sharing a success story in a case study or writing a candid review on platforms like Gartner Peer Review.

Inclusive IGA action:

• Create comprehensive steps on how and where to contribute.
• Publicly recognize contributors and provide them space to shine.
• Encourage new members to contribute.

The midPoint community prides itself on its many contributions. Some of the examples include the collaborative efforts that added to the library of connectors with its almost 70 open code connectors, midPoint being translated into 20 languages, the expansion of the samples contribution directory, and case studies continuing to bring insights into real life examples.

5. Promote Diverse Voices in Content

If all webinars, blog posts, and case studies feature only one group, we risk reinforcing the image of who belongs in IGA.

Inclusive IGA action:

• Feature stories from different cultural and technical backgrounds.
• Use imagery and language that reflects a diverse global user base.

We are happy to see more and more women entering the IGA space, and we try to inspire others to join this field. At Evolveum, we publish a Women in IT blog post annually, each year highlighting the work of our female team members. In addition, last year we collaborated with engineers from the midPoint community who participated in #inwed24.

Inclusion isn’t about optics; it is about mindset. IGA projects can serve as platforms for equity, growth, and visibility, but we have to choose to build and run them that way. Ask yourself these questions often: Do we make time to onboard newcomers? Do we treat documentation as a first-class deliverable? Do we notice who isn’t in the room – and do we wonder why?

If you work on, contribute to, or deploy an IGA tool, this is an invitation to help shape a more inclusive ecosystem. Let’s build a welcoming IGA environment where everyone sees a point of entry, because #togetherweengineer.

If you would like to learn more about associations and societies that promote gender equality in IT and engineering, please consider visiting:

• The Society of Women Engineers
• The Women Engineering Society
• International Women in Engineering Day
• The Women in Engineering ProActive Network (WEPAN)
• IAM Her

1. Global Education Monitoring Report Team. (2024). Global education monitoring report 2024, gender report: Technology on her terms. UNESCO, https://unesdoc.unesco.org/ark:/48223/pf0000389406 ↩︎
2. International Women in Engineering Day, https://www.inwed.org.uk ↩︎

The post Women in Engineering 2025 – How to Make IGA More Inclusive appeared first on Evolveum | Open Source Identity Management & Governance.