Skip to main content

Import Users

The easiest way to integrate with azuma doa is to start from scratch. This is not always possible though, therefore we also provide migration path screnarios, that can be implemented to migrate existing users to azuma doa.

Hint

In case you require additional information or advice on how to handle your migration setup, feel free to contact us.

Challenges

To import users form existing systems the following questions need to be answered/considered:

  • How to map existing Account IDs to azuma doa Account ID and is such a mapping needed?
  • How to import Account Passwords?
    • How to import password hashes?
    • Are the required hashing algorithms supported?
  • How to identify and import OIDC Accounts (account that linked to a e.g. social identity provider like google or Azure AD)
  • How to import accounts with multiple credential types (password/password/totp/...) and recovery/verification emails?
  • How to identify and import existing permission/roles and assign roles to users?

Depending on your current identity provider setup, there might be further challenges that need to be considered.

Available migration scenarios: Data migration

To implement a seamless migration that avoids disruptions, the following solution could be implemented:

On the login page of your current IDP, add

  • the option to login via azuma doa (integrating via OpenID Connect). This should be used by new users.
  • the option to login with old credentials. This would use your old IDP, but after login ask the user for a new password. And with the new password, you would create a new azuma doa account (migrating the required data for the user).

The option to create new accounts via API is currently limited. If you are interested in such a setup, please contact us for more details.

Available migration scenarios: Data import

If a seamless migration is not required and a downtime is acceptable, user data can also be migrated. Prior to migration, the open points (see challenges above) need to be answered.

Example

Lets assume we want to migrate out of an IDP, where account IDs where used to link product data to users. In such a scenario, we need to retain the reference to the old account IDs while creating new user accounts.

Additionally, we have accounts with passwords (hashed using bcrypt) as well as accounts linked to social identity providers (Google/Microsoft).

Accounts can be created via azuma doa API. Since Account IDs are created by azuma doa, the reference IDs from the previous IDP need to be mapped to the newly created accounts. azuma doa implements the concept of Account Reference IDs, allowing you to add the old IDP account ID to the new account and retrieve the reference in the claim account_reference_id in the access token. With that claim, you can retain access to the correct data.

Hint

If you choose to use Account Reference IDs, please consider if data migration to the new azuma doa Account IDs is possible to unify your solution.

As mentioned above, the option to create new accounts via API is currently limited. If you are interested in such a setup, please contact us for more details.