AP IDM End-of-Life as a Strategic Inflection Point
SAP Identity Management (IDM) is SAP’s traditional identity lifecycle management solution and has served as its on-premises solution for two decades. Organizations have used SAP IDM to manage user identities, provisioning and deprovisioning, access rights management, and lifecycle processes across SAP environments.
SAP is shifting its IDM security roadmap by moving away from the legacy IDM tool and adopting a cloud-first identity governance model. According to SAP’s official channels, mainstream maintenance for SAP Identity Management 8.0 will end on 31st December 2027, and extended maintenance will be available until 2030 at an additional cost. This is not a ‘like-for-like’ product replacement. SAP is transitioning its IGA strategy by partnering with Microsoft, positioning Microsoft Entra ID as the primary solution for enterprise-wide identity lifecycle management, while SAP Cloud Identity Services handles the specialized integration within the SAP ecosystem.
SAP is moving away from continuous development of the on-premises Identity Governance and Administration (IGA) tool. Rather than a simple technology refresh, this is a broader shift toward cloud-centric identity, access governance, and compliance models, with Microsoft Entra ID as the enterprise-wide focus. By moving identity logic out of custom IDM scripts and into a standardized governance layer like Pathlock or Microsoft Entra ID, organizations support the ‘Clean Core’ initiative, reducing custom technical debt within the ERP and ensuring easier future upgrades to S/4HANA.
SAP IDM End of Maintenance and Its Implications
End of Maintenance Timeline
SAP follows a standard software lifecycle policy, but this transition means that there will be no new version. Unlike previous cycles, there is no IDM 9.0. SAP Identity Management 8.0 is the final functional release, making the transition to a new architecture mandatory rather than an upgrade. As it is the final version, the migration window is narrowing, as SAP has set official deadlines for IDM 8.0.
Until December 31, 2027, the end of mainstream maintenance, SAP will provide full support, including bug fixes, security patches, and support for new browser versions and operating systems.
Organizations that cannot migrate by 2027 can use the extended maintenance program, typically at increased licensing costs, which focuses on critical issues; no new features or enhancements will be developed or supported.
Customers are encouraged to plan migrations well ahead of these deadlines to avoid risks and disruptions to business activities. According to experts, a typical IAM migration is a complex, long-running project. It takes between 18 and 36 months for a large organization. In February 2024, SAP officially announced the sunsetting of SAP IDM, providing the market with a clear timeline for the 2027 mainstream maintenance cutoff, giving organizations ample time to migrate. However, starting the planning phase in 2026, at the time of this article’s publication, is considered critical to avoid the 2027 cutoff date, reduce risk, and control costs.
What’s Changing in the IAM Landscape?
SAP IDM 8.0 is a Java-based solution running on SAP NetWeaver that relies on the Virtual Directory Server (VDS) for LDAP-based integrations and a central SQL database for its Identity Store. Modern cloud-native solutions replace this complex, script-heavy infrastructure with API-driven (REST/SCIM) connectivity.
The modern SAP IAM landscape includes Cloud- and SaaS-based applications, System for Cross-domain Identity Management (SCIM), and REST APIs, with a focus on configuration over coding, especially no-code/low-code workflow builders, enabling faster deployments and easier updates.
SAP customers don’t just run SAP ECC; they have adopted a mix of on-premises and cloud S/4HANA, SAP SuccessFactors, SAP Business Technology Platform (BTP), and hybrid SAP environments, and they integrate non-SAP SaaS applications such as ServiceNow and Salesforce. SAP IDM struggled to integrate and manage cloud-native features such as Just-in-Time (JIT) access provisioning, a standard modern security requirement.
Additionally, cloud-based identity management solutions manage a broader set of identities, including partners, contractors, non-human identities (e.g., bots, IoT devices, and service accounts), and employees.
SAP did not announce a direct successor to SAP IDM within its product line; instead, it encouraged customers to focus on its cloud services, SAP Cloud Identity Services (CIS), or partner services such as Microsoft Entra ID. Microsoft has already begun offering migration guidance to SAP customers, serving as a preferred bridge for the SAP identity lifecycle.
SAP’s Identity Direction: Cloud Identity Services
What are SAP Cloud Identity Services?
SAP Cloud Identity Services serves as a hub for all SAP cloud environments, providing a seamless user experience across SAP ecosystems and supporting modern security standards, including Security Assertion Markup Language (SAML), OpenID Connect (OIDC), System for Cross-Domain Identity Management (SCIM), and X.509. SAP Cloud Identity Services, such as Identity Authentication (IAS), Identity Provisioning (IPS), and Identity Directory (IDS), are the center of SAP’s cloud Identity and Access Management strategy, simplifying authentication and provisioning across SAP cloud applications.
- Identity Authentication Service functions as an identity provider to an existing corporate IdP, such as Okta or Microsoft Entra ID. It manages Single Sign-On, self-service password management, and Multi-Factor Authentication.
- Identity Provisioning (a service of SAP Cloud Identity Services) acts as the technical connector, synchronizing identities between SAP and non-SAP systems via the SCIM standard, effectively replacing the connectors previously managed by the SAP IDM Identity Center.
- Identity Directory Service serves as a central repository for keeping user profiles and attributes within the SAP cloud, enabling consistent user data synchronization in different SAP applications.
- Authorization Management Service enables organizations to manage access policies to resources based on user values or business object attributes.
SAP Cloud Identity Access Governance (IAG)
SAP IDM focuses on the identity lifecycle, while SAP Cloud Identity Access Governance (IAG) also provides governance and compliance services. It is primarily positioned as a cloud access governance service rather than a replacement for full SAP IDM. SAP IAG provides a self-service portal for users to request access and for managers to certify whether users still need their current access. It also offers access request workflows, role design, and a real-time access analysis service based on segregation of duties (SoD) to ensure users do not have conflicting roles, e.g., creating and approving vendors.
Role of Partners
SAP explicitly informed customers that it is not building a replacement for complex, custom-scripted SAP IDM workflows, and emphasized that they should integrate with partner IAM and governance solutions to address their complex lifecycle, compliance, and hybrid governance needs. Partners such as Microsoft Entra ID are strategic partners and recommended solutions for the entire enterprise. Customers are expected to assemble future-state architectures using SAP services and other specialized partners, such as Pathlock Cloud, or to engage SAP implementation partners, including PwC, Deloitte, and EY.
Pathlock Cloud as an SAP IDM Migration Option
Pathlock’s Position in the SAP Ecosystem
Pathlock is an official SAP strategic partner for organizations transitioning away from SAP Identity Management following its end-of-life announcement. It specializes in Identity Governance and Administration (IGA) and Application Access Governance (AAG). Pathlock is designed to fill the gap between on-premises identity management and modern cloud governance. Pathlock provides a deep governance layer for the granular complexities of SAP security, such as transaction codes, objects, and authorizations. It helps organizations to govern access and compliance across SAP and non-SAP environments during or after SAP IDM retirement.
