Operations

Migrating user accounts with zero downtime

September 6, 2025

Introduction

As organizations grow, so do their authentication and licensing needs. Migrating user accounts between identity providers without downtime is a critical challenge for DevOps and IT teams. In this post, we'll explore a practical approach to achieving this, using a combination of dual-write strategies, phased cutover, and hash migration techniques. We'll also cover rollback plans to ensure business continuity.

Why Migrate User Accounts?

Many organizations use multiple identity providers, such as OAuth2, SAML, or custom LDAP systems. Over time, these systems can become siloed, leading to inconsistencies in user data, access control, and licensing. Migrating user accounts between these providers ensures a unified and secure user experience.

Key Considerations

  • Consistency: Ensure that user data is synchronized across all identity providers.
  • Security: Protect user data during migration and ensure that access controls are updated.
  • Availability: Maintain service availability during and after migration.
  • Rollback: Have a clear plan in place to revert changes if issues arise.

Warning: Migrating user accounts can be complex. Always test your migration plan in a staging environment before applying it to production.

Dual-Write Strategies

A dual-write strategy involves writing user data to both the source and destination identity providers simultaneously. This ensures that user data is available in both systems during the migration process.

For example, using Bastionary, you can configure dual-write for user accounts by setting up a user_migrate policy that writes to both the source and destination identity providers. This allows for a seamless transition without downtime.


      {
        "policy": "user_migrate",
        "type": "dual_write",
        "sources": ["auth_provider_1"],
        "destinations": ["auth_provider_2"],
        "hash": "sha256"
      }

Phased Cutover

A phased cutover involves gradually moving user accounts from the source to the destination identity provider. This approach minimizes risk and allows for a more controlled migration process.

For example, you can start by migrating a subset of user accounts, then gradually increase the number of users migrated. This allows you to monitor the impact of the migration and make adjustments as needed.

Hash Migration

Hash migration is a technique used to ensure that user data is consistent across identity providers. By using a hash algorithm such as SHA-256, you can verify that user data has been correctly migrated and is consistent across both systems.

This is particularly useful when migrating user accounts between different identity providers, as it ensures that user data is not duplicated or lost during the migration process.

Rollback Plans

Having a clear rollback plan is essential to ensure business continuity in the event of migration issues. A rollback plan should include the following:

  • Backup: Ensure that user data is backed up before migration.
  • Reversion: Have a clear plan in place to revert changes if issues arise.
  • Monitoring: Continuously monitor the migration process to detect and address issues early.

Tip: Always test your rollback plan in a staging environment before applying it to production.