Migrating to the SecureAuth® Identity Platform on the cloud
Read this guidance to decide if your site is ready to migrate to the Identity Platform on the Intelligent Identity Cloud. This information is relevant to customers working in SecureAuth IdP version 9.3 and earlier.
Customers using SecureAuth IdP 9.3 will have the smoothest experience because 9.3 is the precursor to the Identity Platform. Organizations using SecureAuth IdP 9.1 and earlier can upgrade to SecureAuth IdP 9.2 and then migrate to the Identity Platform release 19.07.
Prerequisites
Use the following list to ensure your site is prepared to migrate to the Intelligent Identity Cloud:
Sites running SecureAuth IdP 9.3 can contact SecureAuth Support, who will assess if your site is ready for migration. See Contact SecureAuth Support.
Sites running SecureAuth IdP version 9.1 and earlier must upgrade to 9.2. SecureAuth IdP versions 9.1 and earlier cannot be migrated to the Intelligent Identity Cloud. After sites upgrade to 9.2, they can be migrated to the cloud. See Contact SecureAuth Support.
Cloud migration considerations
Use the following list to consider if migration is right for your site:
Sites must install and configure the SecureAuth Connector, but no longer need to use or maintain SecureAuth IdP appliances, which are required for SecureAuth IdP version 9.3 and earlier.
See SecureAuth Connector Installation to learn more.
The Identity Platform uses the New Experience user interface (UI) that was initially released in SecureAuth IdP 9.3. It also uses the Classic Experience user interface.
The Classic Experience offers automated migration of web.config from hybrid to cloud. Manually re-create the data stores in the New Experience, and then assign the data stores in the Classic Experience realms that were copied over through the automated migration.
SecureAuth continues to work toward feature parity between the Identity Platform New Experience and the Classic Experience. Until feature parity is achieved, migration will include configuring data stores in the Identity Platform New Experience and selecting the data store objects in the Classic Experience.
For example, applications must be created in the New Experience and assigned policies, and in release 19.07 existing applications in realms are automatically brought into the New Experience. As soon as the administrator assigns a policy to an application, the application is administered through the Identity Platform New Experience and is disabled in the realm.
Data stores:
Active Directory and Structured Query Language (SQL) are the supported data stores.
Pre-9.3 sites migrating to the Intelligent Identity Cloud must re-create data stores using the SecureAuth Connector because the SecureAuth IdP version 9.3 New Experience cannot be configured prior to migration.
9.3+ sites migrating to the Intelligent Identity Cloud do not need to re-create data stores, but must re-enter the credentials after installing the SecureAuth Connector.
The following data resides on the SecureAuth data store that is physically located on your site:
First Name
Last Name
Groups
Email, up to 4 addresses
Phone, up to 4 numbers
Aux ID 1 - 104
Profile fields stored in the Intelligent Identity Cloud are enabled by default and available based on configuration; for example, a configuration that includes Device Recognition is stored in the cloud and not in a site's directory.
Data stored on the Intelligent Identity Cloud includes profile data for SecureAuth authentication purposes.
Re-enrollment for features, such as TOTP, PIN, and other methods, is required because these values are now stored in the Intelligent Identity Cloud; re-enrollment is required If Biometric is enabled after initial enrollment.
TOTP in the Intelligent Identity Cloud is a true time-based one-time passcode. Once validated, end users cannot reuse the TOTP until the counter restarts.
The Identity Platform on the Intelligent Identity Cloud has its own domain name system (DNS) record that is different from the on-prem SecureAuth DNS.
The features in the Identity Platform Dashboard are available through the New Experience only.
The Radius service must be installed or migrated on a separate machine from the on-prem SecureAuth Connector.
Features not yet supported
The following list includes features not yet supported in the Identity Platform:
Integrated Windows Authentication (IWA): The Identity Platform on the cloud does not yet support IWA.
Data stores: The Identity Platform on the cloud supports Active Directory or Microsoft SQL Server data stores only.
Customizations: The current SecureAuth IdP version must not be customized. Minor customizations are allowed, such as changes to images and cascading style sheets (CSS).
Simple Certificate Enrollment Protocol (SCEP): The Identity Platform on the cloud does not yet support SCEP.
Role-based Access Control (RBAC): The Identity Platform on the cloud does not yet support RBAC.
Web services: The Identity Platform on the cloud does not yet support web services; multi-domain is supported.
Logging: Administrators cannot configure logs settings and cannot view raw logs except by contacting SecureAuth Support.
Web.config: Administrators cannot access the web.config file directly, and must contact SecureAuth Support to access it.
Remote Desktop Protocol (RDP): The Identity Platform on the cloud does not yet support RDP.
Contact SecureAuth Support
When your site is ready to begin migration, get started by creating a support ticket and selecting I would like to upgrade or migrate to a new IdP version from the "Submit a request" dropdown. A SecureAuth Project Manager will contact you and assist you with the migration.
Alternatively, you can contact Support through email or telephone at support.secureauth.com or 1-866-859-1526.