I am considering risks migrating the user store in siteminder from SUN to CA directories.
I am not sure if it is possible, we may be (MAY BE only) able to engineer a user directory that may not need reconfigure applications, or minimize the effort or reconfiguring. This may need the engineering work in dev to determine if this is possible.
I was standing on the skeptical side that we need to reconfigure, based on the possibilities we may not be able to engineer 100% like to like in terms of ou, groups, response attributes; that would need to reconfigure in multiple places (realms and policies).
Another risk is the breaking applications during migration in production. If we try the not reconfiguring approach, we would do a swap from SUN to CA. All the applications will points to CA directories. If some of the applications are not working and we cannot fix it right away, we have to swap all back to SUN? If there are only 5 or 6 applications I think I can fix it right away. (But they have 30 applications). Some applications may need to be broken for a period of time, waiting to be fixed. (All fixable though)
If we do the reconfiguring approach, we can put from SUN to CA in parallel and we can do it incrementally. Bad side is we need to reconfigure some policies one by one pointing to the new directories (lots of efforts and time). Another point is if both SUN and CA directory is up for a while, the data will be different. (Need another set of strategies to take care of this). And if we cannot re-engineer a 100% like to like, we need reconfiguring effort.
I have been flip-flopping about which migration approaches I should take, we don’t need to come up with a decision right away. But we need to walk through this at some point during the project. I am going to discuss with teams and communities.
Thanks and regards,