All posts

The day you decide to move identity to the cloud, you start a coexistence period. Whether it lasts 6 months or 3 years, your organization will run two identity systems simultaneously. Applications will live in both environments. Users will expect seamless SSO regardless of where the app is hosted. And any gap in the federation chain means someone can’t do their job. Getting hybrid IAM right is the difference between a controlled migration and a chaotic one. ...

Choosing an identity platform is a 5-year commitment. Switching costs are high — every application integration, every custom policy, and every user credential is tied to your IdP. Pick wrong and you’ll either overpay for years or hit scaling walls that require a painful re-platforming. This framework gives you a structured approach to the decision, based on factors that actually matter rather than vendor marketing. The Decision Matrix Score each platform 1-5 on these factors, weighted by your organization’s priorities: ...

Every IAM migration eventually hits the password problem. Users have passwords stored as cryptographic hashes in the old system. You need those users in the new system without forcing all of them to reset their passwords on Day 1. Depending on the source and target platforms, this ranges from straightforward to genuinely painful. The Core Problem Password hashes are one-way functions by design. You can’t reverse a bcrypt hash back to the original password. This means you have three options when migrating between identity platforms: ...

Workforce IAM and CIAM look similar on a whiteboard — both authenticate users and manage access. But the architecture is fundamentally different when your user base goes from 5,000 employees to 5 million customers. The scaling problems, the UX requirements, and the regulatory constraints all change. This guide covers the architectural patterns that make CIAM work at scale, drawn from real deployments. Why CIAM Needs Different Architecture Concern Workforce IAM CIAM User count 1K - 100K 100K - 100M+ Registration IT-provisioned Self-service Identity source Corporate directory Social + email + phone Session duration 8-hour workday Weeks to months Latency tolerance 500ms acceptable 100ms expected Consent management Minimal GDPR/CCPA mandatory Branding Consistent corporate Per-product customization Availability target 99.9% 99.99%+ You can’t take an Okta workforce deployment, add more users, and call it CIAM. The data model, the session architecture, and the user experience are structurally different. ...

LDAP directories are the cockroaches of enterprise IT — they survive everything. Organizations that modernized their web apps to microservices and moved their databases to the cloud still have OpenLDAP or Active Directory at the center of their identity infrastructure, often running on hardware that should have been recycled years ago. The pressure to modernize is mounting. Windows Server 2025 tightens LDAP signing requirements. OpenLDAP’s maintainer situation remains precarious. And every new SaaS app wants OIDC or SAML, not an LDAP bind. ...

The deal closes on Friday. By Monday, people from both companies need to access shared resources, join Teams meetings, and reach each other’s internal tools. Meanwhile, Company A runs Okta, Company B runs Entra ID, and nobody planned for this during due diligence. This scenario plays out constantly in enterprise IT. Identity consolidation after M&A is consistently ranked as one of the top integration challenges, yet it rarely gets adequate attention before the deal closes. ...

Moving identity infrastructure from on-premises to cloud is not a weekend project. It touches every application, every user, and every compliance control in your organization. Get it wrong and people can’t log in on Monday morning. Get it right and you eliminate a significant chunk of infrastructure cost while gaining capabilities that on-prem systems can’t match. This framework is vendor-agnostic — whether you’re moving to Entra ID, Okta, Auth0, or Keycloak Cloud, the planning process is the same. ...

Upgrading Keycloak across major versions is one of those tasks that looks simple on paper — download the new release, start it up, let Liquibase handle the database — but reliably creates production incidents when done without preparation. Between versions 21 and 26, Keycloak introduced several breaking changes that affect clustering, theming, SPIs, and configuration format. This guide covers what actually breaks at each version boundary and how to handle it. ...

Not every organization wants to move from ADFS to Microsoft Entra ID. Some want to stay vendor-neutral, keep identity infrastructure on-premises, or simply avoid per-user licensing costs. Keycloak fills that gap — it handles SAML 2.0, OIDC, and integrates directly with Active Directory via LDAP federation. The migration isn’t trivial, though. ADFS and Keycloak have different architectural models, and some ADFS features don’t have direct Keycloak equivalents. This guide covers the practical steps, common blockers, and configuration patterns you’ll need. ...

Microsoft is pushing hard to retire ADFS. The writing has been on the wall since 2023 when they started flagging ADFS deprecation in security advisories, and Windows Server 2025 makes it even clearer — ADFS is maintenance mode, no new features, and the migration tooling keeps getting better. If you’re still running ADFS in production, now is the time to plan your move. This guide walks through the full migration from ADFS to Microsoft Entra ID (formerly Azure AD), covering assessment, claim rules translation, staged rollout, and final decommission. ...

ForgeRock Directory Services (DS) replication setup involves configuring multiple instances of DS to replicate data across different nodes, ensuring high availability and redundancy. This process can be manual and time-consuming, especially in large environments. However, automating this setup with Ansible playbooks can significantly streamline the process, making it more efficient and less prone to errors. What is ForgeRock DS replication setup? ForgeRock DS replication setup involves configuring multiple instances of ForgeRock Directory Services to replicate data across different nodes for high availability and redundancy. This ensures that if one node fails, another can take over without data loss, maintaining service continuity. ...

Why This Matters Now: The surge in AI-powered chatbots and virtual assistants has transformed customer interactions in the finance sector. However, this shift also introduces new vulnerabilities that can be exploited by fraudsters. According to a recent report by Gartner, AI-driven attacks are expected to rise by 30% in the next two years. Financial institutions need robust Customer Identity and Access Management (CIAM) solutions to safeguard customer identities and prevent fraud. ...

Why This Matters Now The integration of AI into various aspects of software development and operations has led to a surge in the number of identities managed by Identity and Access Management (IAM) systems. From chatbots to machine learning models, AI is generating and managing identities at an unprecedented rate. This trend is particularly critical as it introduces new complexities and security risks that traditional IAM systems are not fully equipped to handle. ...

PingFederate SAML configuration involves setting up Security Assertion Markup Language (SAML) for secure enterprise federation, enabling single sign-on (SSO) between identity providers (IdPs) and service providers (SPs). This guide will walk you through the process, including common pitfalls and best practices. What is SAML? SAML is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider. It allows users to log into multiple applications with a single set of credentials. ...

Why This Matters Now The past week brought two significant security alerts that highlight the ongoing battle against cyber threats. Microsoft addressed an exploited zero-day vulnerability in Office, while Fortinet patched a critical flaw in FortiCloud Single Sign-On (SSO). These vulnerabilities underscore the importance of staying vigilant and proactive in securing your infrastructure. 🚨 Security Alert: Microsoft and Fortinet have released critical patches. Ensure your systems are up to date to prevent exploitation. MillionsPotential Victims 24hrsTime to Patch Timeline of Events December 10, 2024 Microsoft discovers a zero-day vulnerability in Office. ...

Why This Matters Now Launching a B2B application with robust identity and access management (IAM) is crucial, but deciding on the right billing plan can be overwhelming. With Auth0, you face a critical decision: monthly or annual billing? This choice isn’t just about cost; it directly impacts your development process, financial planning, and overall business strategy. As of January 2024, many startups and established businesses are grappling with this decision, especially after the recent surge in cloud-based services and the need for flexible pricing models. ...

ForgeRock Infrastructure as Code allows you to manage and provision ForgeRock Identity Management resources using declarative configuration files. This approach brings the benefits of Infrastructure as Code (IaC) to identity management, enabling consistent deployments, easier maintenance, and improved security. What is ForgeRock Infrastructure as Code? ForgeRock Infrastructure as Code leverages the Terraform provider to automate the deployment and management of ForgeRock Identity Management components. By defining your identity management setup in Terraform configuration files, you can ensure consistency across environments and simplify the process of making changes. ...

Why This Matters Now: In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding a critical authentication bypass flaw in FortiCloud Single Sign-On (SSO). This vulnerability has already been exploited by hackers, putting organizations relying on FortiCloud SSO at significant risk. If you haven’t already addressed this issue, your systems could be compromised. 🚨 Security Alert: FortiCloud SSO authentication bypass flaw actively exploited by hackers. Apply patches and harden configurations immediately. 100+Active Attacks 24hrsTime to Patch Understanding the Vulnerability The vulnerability lies in the way FortiCloud SSO handles authentication requests. Attackers can exploit this flaw to bypass the authentication process, gaining unauthorized access to systems and networks protected by FortiCloud SSO. This is particularly concerning for organizations that rely on SSO for secure access management. ...

Why This Matters Now Why This Matters Now: The recent exploitation of CVE-2026-24858 in FortiOS SSO has compromised several high-profile organizations. This zero-day vulnerability allows attackers to bypass authentication mechanisms, leading to unauthorized access to internal systems and sensitive data. If you’re running FortiOS, this is urgent. 🚨 Breaking: CVE-2026-24858 exploited in the wild, affecting FortiOS SSO. Patch immediately to prevent unauthorized access. 100+Organizations Affected 24hrsTime to Patch Timeline of Events Dec 10, 2024 Vulnerability first reported to Fortinet. ...

Custom authentication flows in Keycloak allow you to define unique login processes tailored to specific application needs. Whether you need multi-factor authentication, social logins, or custom policies, Keycloak provides the flexibility to create these journeys with ease. In this post, we’ll walk through building custom authentication flows, common pitfalls, and best practices to ensure your login processes are both secure and efficient. What is Keycloak Custom Authentication Flows? Custom authentication flows in Keycloak let you define unique login processes tailored to specific application needs. Instead of relying on the default flows, you can create flows that include additional steps, such as OTP verification, social logins, or custom policies. ...