The maintenance deadlines are confirmed. The replacement options are clear. The question is whether you address this proactively or reactively — and the answer has significant consequences either way.
Deadline
Dec 2025
SAP IDM extended maintenance ends. No further patches or security fixes after this date for organizations on standard maintenance.
Deadline
Dec 2027
SAP IDM end of mainstream maintenance. All support ends. Organizations still running SAP IDM after this date are running unsupported identity management infrastructure.
The question is not whether to migrate. The question is whether you do it on your terms or under pressure.
If you run SAP and you are still using SAP Identity Management — SAP IDM, also known as NetWeaver Identity Management — you have received or will receive communication from SAP about the SAP IDM end of life timeline for this product. The dates above are confirmed. Extended maintenance for SAP IDM ended in December 2025. Full mainstream maintenance ends in December 2027.
What those dates mean in practice is this: after December 2027, SAP will no longer release security patches, bug fixes, or compliance updates for SAP IDM. An organization running SAP IDM after that date is running identity management infrastructure that will not be patched against new vulnerabilities, will not be updated to reflect changes in SAP's authorization model, and will progressively become a compliance liability as auditors start asking whether the identity management system itself is supported.
This post explains exactly what is happening, what the three realistic paths forward look like, and why the timing of your next SAP renewal conversation matters more than most people realize. It is written for IT Directors, SAP Basis leads, and CISOs at manufacturing companies who need to brief their board or their CFO on what this means and what to do about it.
What SAP IDM actually does — and what you lose when it goes
SAP IDM is the identity lifecycle management system that most SAP customers implemented between 2008 and 2018. It handles the core identity processes that any manufacturing compliance program needs: provisioning new users with the right SAP roles when they join, modifying access when they change roles, and deprovisioning access when they leave. It also runs workflows for access requests, approvals, and attestation campaigns.
For organizations that implemented it properly, SAP IDM is deeply embedded. The provisioning workflows are customized to the organization’s role model. The approval hierarchies reflect the actual reporting structure. The integration with HR — whether SAP HCM, SuccessFactors, or an external HR system — is configured and running. Replacing it is not a plug-and-play exercise.
The capabilities at risk when IDM is retired fall into three categories. Joiner-mover-leaver lifecycle management: automated provisioning and deprovisioning of SAP access based on HR events. Without this, access changes become manual — a significant operational risk and an audit finding waiting to happen. Access request and approval workflows: the self-service portal where employees request additional access, managers approve it, and the audit trail is generated automatically. Without this, access requests go back to email and spreadsheets. Access certification and attestation: the periodic review where managers confirm that their direct reports' access is still appropriate. Without this, access accumulates unchecked — exactly the condition that creates the SoD violations described in our previous post.
After December 2027, SAP IDM will not be patched against new vulnerabilities. Running unsupported identity infrastructure is itself a compliance finding.
Why your next SAP renewal is the moment to act
Most manufacturing organizations have annual or multi-year SAP support agreements that come up for renewal. The IDM sunset creates a specific dynamic around these renewals that is worth understanding before you sit down with your SAP account manager.
SAP's preferred migration path for IDM customers is SAP Identity Authentication Service (IAS) combined with SAP Identity Provisioning Service (IPS) — cloud-based services included in SAP's Business Technology Platform offering. SAP will naturally propose this path in your renewal conversation. It is a legitimate option for some organizations. It is not the right answer for all of them.
The renewal moment matters because it is when budgets are being discussed, when the conversation about SAP's product direction is already open, and when the decision-makers are engaged. An IDM migration is a significant project — typically 6 to 12 months depending on the complexity of the existing implementation. Starting that conversation at renewal, rather than 6 months before the December 2027 deadline, gives you time to evaluate properly rather than choosing under pressure.
The organizations that will be in the most difficult position are those that ignore this issue through 2026, arrive at their 2027 renewal under deadline pressure, and accept whatever SAP proposes without having evaluated the alternatives. Those organizations will pay a premium for the urgency and will implement whatever is fastest rather than whatever is best. The SAP identity management sunset is not a rumor or a roadmap note — it is a confirmed product lifecycle decision with published dates.
The three paths forward — an honest assessment
There are three realistic options for organizations currently running SAP IDM. Each has legitimate use cases. The right answer depends on your specific SAP landscape, your existing governance maturity, and your strategic direction.
The SAP-native path -- Migrate to SAP IAS and IPS
SAP Identity Authentication Service + Identity Provisioning Service
SAP's cloud-native replacements for the core functions of SAP IDM. IAS handles authentication -- SSO, MFA, and identity federation. IPS handles provisioning -- moving identity data between HR source systems and SAP target systems.
What works in your favor
Stays within the SAP ecosystem -- familiar tooling and support relationship
Included in BTP entitlements for many SAP customers -- may reduce additional licensing cost
Strong integration with S/4HANA and SuccessFactors
SAP-supported path -- clearest audit defensibility for the migration itself
What to watch out for
IAS and IPS together do not replicate all SAP IDM capabilities -- access request workflows and attestation campaigns require additional BTP services
Governance remains SAP-boundary only -- Entra ID, ServiceNow, Salesforce not natively covered
Customization depth is more limited than SAP IDM — complex workflow logic may not migrate cleanly
Cloud dependency -- organizations with data sovereignty requirements need to verify BTP data residency
Verdict
Best fit for organizations with simple SAP IDM implementations, strong SAP partnership, and limited non-SAP governance requirements. If your identity governance problem is entirely within SAP, this is a reasonable path.
The deferral path -- Extend SAP IDM maintenance
Buy more time -- with a plan
SAP offers extended maintenance arrangements beyond the standard December 2027 deadline for customers with a documented migration plan. This is not ongoing mainstream support -- it is a time-limited extension at higher cost designed to give organizations structured time to migrate.
What works in your favor
Buys time for a proper migration rather than a rushed one
Allows organizations to time the migration with a natural SAP upgrade cycle
Maintains current functionality during the extension period
What to watch out for
Extended maintenance costs more than standard maintenance
The extension is finite — it defers the problem, it does not solve it
Security patching during extended maintenance is more limited than mainstream support
Organizations that defer without a migration plan will face the same deadline pressure later at higher cost
Verdict
Legitimate as a bridging strategy if you have a documented migration plan and a specific milestone you are timing the migration to. Not legitimate as a way to avoid the decision entirely. If you are extending without a plan, you are paying extra to delay an inevitable and increasingly expensive conversation.
The governance expansion path -- Migrate to a third-party IGA platform
Solve the bigger problem -- SAP and beyond
A third-party IGA platform replaces SAP IDM with a full identity governance and administration solution that covers SAP and every other system in the organization. This path treats the IDM sunset as an opportunity to solve a larger problem: governing the complete identity landscape, not just the SAP boundary.
What works in your favor
Covers the full identity surface -- SAP, Microsoft, ServiceNow, Workday, Salesforce in one platform
Pre-built SoD rules for manufacturing environments eliminate the cold-start problem
Access certifications, access requests, and JML lifecycle across all systems
Modern cloud-native architecture without the technical debt of SAP IDM customizations
The migration is an upgrade -- capabilities SAP IDM never had, including SoD detection
What to watch out for
More complex migration than the SAP-native path -- requires connector configuration for all target systems
Requires evaluation and selection of a platform -- adds time if started late
Change management: users and approvers need to learn a new interface
Implementation timeline typically 6-12 months -- starting in 2026 is the right window
Verdict
Best fit for organizations whose identity governance problem extends beyond SAP -- companies running Microsoft infrastructure, ServiceNow, Workday, or Salesforce that want a single governance platform. The IDM sunset is the forcing function that makes this IGA migration investment easier to justify — and 2026 is the window to execute it correctly.
The five questions to answer before your next renewal
Before you sit down with your SAP account manager or start an RFP process, there are five questions worth answering internally. The answers will tell you which of the three paths is right for your organization.
1
How much of your identity lifecycle is SAP-only?
If your organization's identity governance problem is entirely contained within SAP -- if the only system you need to provision access to is SAP ECC or S/4HANA -- then the SAP IAS and IPS path is a reasonable answer. If your users also need access to Microsoft 365, ServiceNow, Salesforce, or any non-SAP system through a governed provisioning process, then a third-party IGA platform will solve a meaningfully larger problem for a comparable investment.
2
How complex is your existing SAP IDM customization?
SAP IDM customizations are written in SAP's proprietary scripting language and are deeply specific to each implementation. The more customized your IDM deployment is, the harder and more expensive the migration -- regardless of which path you choose. Before any migration conversation, document what your IDM actually does: which workflows exist, which approval hierarchies are configured, which HR integrations are running. That documentation becomes the requirements specification for the migration.
3
Do you have SoD controls today -- and where are they?
SAP IDM does not perform SoD detection. It provisions access based on roles -- it does not check whether the combination of roles a user holds creates a dangerous conflict. If your organization has SoD controls, they exist separately -- in SAP GRC, in a manual spreadsheet-based review, or in a third-party tool. The IDM migration is the right moment to ask whether the replacement platform should also handle SoD detection, or whether SoD remains a separate workstream. A third-party IGA platform that handles both JML lifecycle and SoD detection in one system significantly reduces the operational complexity of your compliance program.
4
What does your 2027 audit obligation look like?
If your organization is SOX-reporting, operates under IFC requirements, or is subject to COBIT-aligned controls assessments, your auditor will eventually ask about the identity management system itself -- specifically, whether it is supported, patched, and operating under change management controls. An unsupported SAP IDM deployment after December 2027 is a finding in waiting. Factor this into the migration timeline: a migration completed in early 2027 gives you a full audit cycle on the new platform before the deadline arrives.
5
When is your next SAP contract renewal?
This is the most practically important question. If your SAP contract renews in the next 12 months, you have a natural moment to have the IDM migration conversation with your SAP account manager and with potential alternative providers. If your renewal is more than 18 months away, you have time for a proper evaluation and implementation without timeline pressure. If your renewal is more than 24 months away, the December 2027 deadline should still be on your radar but is not yet urgent.
The organizations that handle this well will start the evaluation in 2026 and complete the migration in early 2027. The organizations that handle it poorly will start in late 2026 under deadline pressure and make a rushed decision they spend years regretting.
What a migration from SAP IDM to a third-party IGA platform actually looks like
For organizations considering Path 3, the practical shape of the migration is worth understanding before the evaluation begins. A well-structured migration from SAP IDM to a modern IGA platform follows four phases.
Discovery and documentation takes 4-6 weeks and produces the complete inventory of what SAP IDM currently does — every workflow, every approval hierarchy, every HR integration, every connected system. This documentation exists in almost no organization before the migration starts; creating it is the first task regardless of which path is chosen.
Connector configuration and role model migration takes 6-8 weeks. The IGA platform connects to SAP via native connector, maps the existing role model, and begins receiving HR events for provisioning. This phase runs in parallel with SAP IDM for a period — both systems are active, but new changes flow through the new platform.
Workflow and approval migration takes 4-6 weeks. Access request workflows, approval hierarchies, and attestation campaign configurations are rebuilt in the new platform. For complex IDM implementations this is the most time-consuming phase.
Parallel run and cutover takes 2-4 weeks. Both platforms run in parallel processing the same events. Discrepancies are identified and resolved. Cutover to the new platform as the system of record is followed by a decommission plan for SAP IDM.
Total timeline: 16-24 weeks for a typical implementation. Starting in Q1 2026 delivers a completed migration well ahead of the December 2027 deadline with time for a full audit cycle on the new platform before the deadline.
What to do now
If you are currently running SAP IDM, there are three actions worth taking before your next renewal conversation regardless of which migration path you ultimately choose.
First, document what SAP IDM currently does in your environment. This takes 2-4 weeks and is required for any migration path. The documentation becomes the requirements specification for the migration and the benchmark against which any replacement platform is evaluated. Without this documentation, any migration starts blind.
Second, identify your renewal date and map it against the 2027 deadline. If your renewal is in 2026, the conversation needs to start now. If your renewal is in 2027, you have a narrowing window before deadline pressure becomes a factor in the decision.
Third, run a migration readiness assessment before committing to a path. This is a structured evaluation of your current SAP IDM implementation, your identity governance requirements beyond SAP, and the realistic options for meeting those requirements. A good assessment takes 2-3 weeks and saves months of misdirected implementation effort. For manufacturing companies with active SOX or IFC obligations, a completed migration before the December 2027 deadline is a manufacturing compliance requirement, not just a best practice.
Three resources for SAP IDM migration planning
The OpenIAM SAP IDM migration guide covers all three paths, the full feature parity table, and a week-by-week deployment approach.
1. SAP IDM migration page -- the full comparison of migration paths, functional parity table, and three-path decision framework: openiam.com/solutions/sap-compliance/sap-idm-replacement
2. Migration readiness assessment -- a short structured questionnaire that identifies where you are in the migration process and what the recommended next steps are for your specific situation: openiam.com/contact-sales
3. SAP SoD Risk Reference -- if the migration conversation also surfaces questions about SoD controls, this document covers the full manufacturing SoD rule set with T-codes, control objectives, and remediation guidance: openiam.com/resources/sap-sod-guide
Frequently asked questions
Common questions about SAP IDM retirement, migration options, and what happens after December 2027.
When does SAP IDM reach end of maintenance?
⌄SAP IDM extended maintenance ended in December 2025. Full mainstream maintenance ends in December 2027. After December 2027, SAP will no longer release security patches, bug fixes, or compliance updates for SAP IDM.
What are the options for replacing SAP IDM?
⌄There are three realistic paths for organizations currently running SAP IDM: (1) Migrate to SAP Identity Authentication Service (IAS) and Identity Provisioning Service (IPS) -- the SAP-native cloud replacement. (2) Extend SAP IDM maintenance beyond 2027 as a bridge strategy while planning a migration. (3) Migrate to a third-party IGA platform that governs SAP and all other connected systems from one platform.
What is the difference between SAP IDM and SAP IAS?
⌄SAP IDM (Identity Management / NetWeaver Identity Management) is an on-premises lifecycle management system that handles provisioning, access requests, and attestation. SAP IAS (Identity Authentication Service) is a cloud service that handles authentication -- single sign-on and MFA. SAP IPS (Identity Provisioning Service) handles provisioning in the cloud. IAS and IPS together replace the core functions of SAP IDM but do not replicate all capabilities, particularly complex access request workflows and access certifications.
How long does an SAP IDM migration take?
⌄An SAP IDM migration typically takes 16 to 24 weeks (4 to 6 months) for a standard implementation. The timeline breaks down into four phases: discovery and documentation (4-6 weeks), connector configuration and role model migration (6-8 weeks), workflow and approval migration (4-6 weeks), and parallel run and cutover (2-4 weeks). Organizations with highly customized IDM implementations may require longer.
Does SAP IDM include SoD detection?
⌄No. SAP IDM provisions access based on roles but does not detect Segregation of Duties (SoD) violations. SoD detection in SAP environments requires a separate tool -- either SAP GRC Access Control, or a third-party IGA platform with pre-built SoD rule sets. Organizations migrating from SAP IDM should evaluate whether the replacement platform should also handle SoD detection.
What happens to SAP IDM after December 2027?
⌄After December 2027, SAP will no longer provide mainstream maintenance for SAP IDM. This means no security patches, no bug fixes, and no compliance updates. Organizations running SAP IDM after this date will be operating unsupported identity management infrastructure, which is itself a compliance finding under SOX ITGC, internal controls frameworks, and COBIT access control requirements.