Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hello Jon and IAM community, we are in the process of wanting to migrate from TFIM 6.2.2.x to ISAM federation. have around 30 odd federations to be moved over and looking to get it done before EOL September 30th otherwise will have to look into the optin of signing up for extended support if not able to get it done for some reason. 

Looking for lessons learned and pitfalls of te migration from anyone that has undertaken it recently. also a high level approach since it seems liek there is no automated way to migrate all the feds and partners from tfim to ISAM along with keystores and other settings. We are looking for almost zero impact to the fed partners during this migration since there is no reason for them to have to change endpoints , certs , re-exchange metadata for such a move unless that is absolutely necessary.

------------------------------
Ray 
------------------------------

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Ray,

We are in the process of migrating (starting with our DEV integrations) and so far, we didn't really encounter major issues.

I suggest to take a look at your user mappings, as those need to be rewritten in javascript and depending on their complexity, that may pose some challenges.

Another note: in the documentation, it is suggested to create a /isam junction towards the federation runtime, but it works just as well with a transparent path junction /sps (which allows to keep the same endpoints)

Kind regards

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Tue April 02, 2019 10:03 AM
From: Ray
Subject: Calling TFIM customers

Hello Jon and IAM community, we are in the process of wanting to migrate from TFIM 6.2.2.x to ISAM federation. have around 30 odd federations to be moved over and looking to get it done before EOL September 30th otherwise will have to look into the optin of signing up for extended support if not able to get it done for some reason. 

Looking for lessons learned and pitfalls of te migration from anyone that has undertaken it recently. also a high level approach since it seems liek there is no automated way to migrate all the feds and partners from tfim to ISAM along with keystores and other settings. We are looking for almost zero impact to the fed partners during this migration since there is no reason for them to have to change endpoints , certs , re-exchange metadata for such a move unless that is absolutely necessary.

------------------------------
Ray 

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Kristoff, thanks for the response and good to know that others are undertaking the migration effort as well. We are investigating all the user mappings and so far most of the ones i see are already in Javascript so should be able to port those over with no issue. We are also thinking of grouping the partners in groups and undertake the TFIM -> ISAM migration in incremental waves to lower the impact and issue handling etc.

As far as the junction goes, yes in ISAM it creates a /isam jct if you use the Federation configuration tool . In TFIm with the tfimcfg tool it creates a /FIM junction so there is a slight difference there. We can always do the manual configuration in ISAM and create a /FIM junction and attach the acls to the corresponding objects etc so that partners dont need to change endpoints on their end. Of course all this will require some basic testing which is usually the long pole in the tent when you are dealing with multiple fed partners.

------------------------------
Ray
------------------------------

Original Message:
Sent: Wed April 03, 2019 03:05 AM
From: Kristof Goossens
Subject: Calling TFIM customers

Hi Ray,

We are in the process of migrating (starting with our DEV integrations) and so far, we didn't really encounter major issues.

I suggest to take a look at your user mappings, as those need to be rewritten in javascript and depending on their complexity, that may pose some challenges.

Another note: in the documentation, it is suggested to create a /isam junction towards the federation runtime, but it works just as well with a transparent path junction /sps (which allows to keep the same endpoints)

Kind regards

------------------------------
Kristof Goossens

Original Message:
Sent: Tue April 02, 2019 10:03 AM
From: Ray
Subject: Calling TFIM customers

Hello Jon and IAM community, we are in the process of wanting to migrate from TFIM 6.2.2.x to ISAM federation. have around 30 odd federations to be moved over and looking to get it done before EOL September 30th otherwise will have to look into the optin of signing up for extended support if not able to get it done for some reason. 

Looking for lessons learned and pitfalls of te migration from anyone that has undertaken it recently. also a high level approach since it seems liek there is no automated way to migrate all the feds and partners from tfim to ISAM along with keystores and other settings. We are looking for almost zero impact to the fed partners during this migration since there is no reason for them to have to change endpoints , certs , re-exchange metadata for such a move unless that is absolutely necessary.

------------------------------
Ray 

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi John,

We are in the process of migrating all of our federations from tfim to ISAM9 and I noticed that TFIM used to offer support to pass specific parameters/attributes from the request to the PEP through the extended.authentication.macros (https://www.ibm.com/support/knowledgecenter/cs/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/concept/con_saml_request_poc.html)

Looking at current documentation:

• https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/reference/poc_callback_parms_fed.html
• https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.4/com.ibm.isam.doc/config/reference/CustomLoginFormMacros.html)

I guess that is no longer possible and we need to send the full request through %SSOREQUEST%?
Is that correct?

Kind regards,
    Kristof Goossens

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Kristof,
Yes, you are right, 'extended.authentication.macros' is not supported in ISAM currently,   one way to work around this as you mentioned is to send the full authnrequest through %SSOREQUEST% 
To support 'extended.authentication.macros' in ISAM, probably requires RFE.

Best Regards

Chen Yongming


------------------------------
Yongming Chen
------------------------------

Original Message:
Sent: Thu June 06, 2019 06:58 AM
From: Kristof Goossens
Subject: Calling TFIM customers

Hi John,

We are in the process of migrating all of our federations from tfim to ISAM9 and I noticed that TFIM used to offer support to pass specific parameters/attributes from the request to the PEP through the extended.authentication.macros (https://www.ibm.com/support/knowledgecenter/cs/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/concept/con_saml_request_poc.html)

Looking at current documentation:

• https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/reference/poc_callback_parms_fed.html
• https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.4/com.ibm.isam.doc/config/reference/CustomLoginFormMacros.html)

I guess that is no longer possible and we need to send the full request through %SSOREQUEST%?
Is that correct?

Kind regards,
    Kristof Goossens

------------------------------
Kristof Goossens

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Chen,

Thx for clearing it out.

I don't think it would make a lot of sense to file an RFE for that functionality, as all information is available in the SSORequest macro.

The question was more to make sure I was not missing anything, but some (minimal) changes to our EAI fixed the issue(r) :)

Thx

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Fri June 07, 2019 10:15 AM
From: Yongming Chen
Subject: Calling TFIM customers

Hi Kristof,
Yes, you are right, 'extended.authentication.macros' is not supported in ISAM currently,   one way to work around this as you mentioned is to send the full authnrequest through %SSOREQUEST% 
To support 'extended.authentication.macros' in ISAM, probably requires RFE.

Best Regards

Chen Yongming


------------------------------
Yongming Chen

Original Message:
Sent: Thu June 06, 2019 06:58 AM
From: Kristof Goossens
Subject: Calling TFIM customers

Hi John,

We are in the process of migrating all of our federations from tfim to ISAM9 and I noticed that TFIM used to offer support to pass specific parameters/attributes from the request to the PEP through the extended.authentication.macros (https://www.ibm.com/support/knowledgecenter/cs/SSZSXU_6.2.2.7/com.ibm.tivoli.fim.doc_6227/config/concept/con_saml_request_poc.html)

Looking at current documentation:

• https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.6/com.ibm.isam.doc/config/reference/poc_callback_parms_fed.html
• https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.4/com.ibm.isam.doc/config/reference/CustomLoginFormMacros.html)

I guess that is no longer possible and we need to send the full request through %SSOREQUEST%?
Is that correct?

Kind regards,
    Kristof Goossens

------------------------------
Kristof Goossens

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam
------------------------------

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Krishna, Both TFIM WebSphere runtime and ISAM Liberty Runtime run isolated.  If you have separate entry points for POC (/fim and /isam) into sps, both runtimes can co-exist and ensures requests are going to correct federation runtime. If you have same POC for both TFIM and ISAM, then you could add both TFIM/ISAM runtime servers to junctions and control the backends using Server Offline.

server task instance_name-webseald-host_name offline [–i server_uuid] junction_point



Regards,
Rama

------------------------------
Rama Yenumula
------------------------------

Original Message:
Sent: Wed February 05, 2020 02:03 PM
From: Krishna Baddam
Subject: Calling TFIM customers

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Hi Krishna, in addition to Rama's recommendation, I would like to share that we did opted in our migration strategy (suggested by Rama) to first replace our ISAM V7 PoC with ISAM V9 PoC while still running our federations for some time on ITFIM 6.2.2.

In addition, you still have 2 choices: migrate one fed at the time or instead all those feds behind a given PoC all at the same time. That depends on different factors namely the numbers of feds behind a PoC, the risk you can assume and how flexible your setup is in non-PROD to allow testing up the existing feds in isolated environment first with ISAM V9 federation module.

This question must be raised as if you plan to migrate one fed at the time, moving from let's say from /FIM junction (your existing ITFIM 6.2.2) to an hypothetical /isam junction (your new ISAM 9 Federation module setup), this will affect your fed URL that partners use to redirect/post SAML sign-on/sign-out requests. This means further you must coordinate with every one of them to make the change (both PoC and URL) on both ends at the same time not excluding the possibility of enforcing some URL rewriting from old to new ones to ensure old bookmarked fed URLs are not suddenly blocking your end-users out.
Some customers with relatively "low" number of feds behind a given PoC (10 or less) may opt to preserve their existing /FIM junction in place but redirect its traffic to ISAM 9 federation module all at once given that all of them can be tested at the same time. If well prepared, and all new federations configurations (keys, mapping rules, etc.) have all been pre-loaded ahead of time in ISAM 9 fed module appliances (presumably with Ansible playbooks with confidence building-up its way up in all your working non-PROD environments) then going live with ISAM 9 fed module in Production should not be as demanding or risky as it may look at first.

Thereafter, if you want to move away eventually from your "legacy" /FIM junction (connected to ISAM V9 fed module) , you can still plan it at some other time, one fed at the time. You could opt also that all your new feds will rely on your new /isam fed URI going forwards and then your number of legacy /FIM feds will shrink nicely over time.

What is your most important business driver here ? Moving out of ITFIM 6.2.2 rapidly because its EOS date has been reached out already, or else adopting new features from ISAM v9, etc …
So, lots to think in your migration planning.

But more importantly, we did have to make some little adjustments on our end in the ISAM PoC /FIM when we transferred it over from V7 to ISAM V9 federation module so make sure you can test everything out in a non-Production environment first.

Happy migration.

------------------------------
Sylvain Gilbert
------------------------------

Original Message:
Sent: Wed February 05, 2020 02:33 PM
From: Rama Yenumula
Subject: Calling TFIM customers

Hi Krishna, Both TFIM WebSphere runtime and ISAM Liberty Runtime run isolated.  If you have separate entry points for POC (/fim and /isam) into sps, both runtimes can co-exist and ensures requests are going to correct federation runtime. If you have same POC for both TFIM and ISAM, then you could add both TFIM/ISAM runtime servers to junctions and control the backends using Server Offline.

server task instance_name-webseald-host_name offline [–i server_uuid] junction_point



Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Wed February 05, 2020 02:03 PM
From: Krishna Baddam
Subject: Calling TFIM customers

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Rama and Sylvian thanks for your responses. We have large number of federeations. The driver for migration is IFIM 6 being out of support. However there is no real urgency that we do a bing bang conversion.  Changing the URLs used by partners is the last thing we would consider. If I understand correctly for one fed at a time migration I have two options:

Option 1. Setup two entry point on ISAM 9 /fim with IFIM 6 runtime and /isam with ISAM 9 federation runtime. Working with partners we can migrate each federation from IFIM 6 to ISAM 9 over time. This would require changes to URLs. This will let us use new attribute sources and other new fucntionality available in ISAM 9 federation.

Option 2. Setup just one entry point /fim on ISAM 9 with IFIM 6 and ISAM 9 federation run time servers and control which runtime is active by setting the other to offline as suggested by Rama. This would not require URL changes and no impact to partners. I will still be able to use new features offered by ISAM 9 federation runtime for the ones migrated over to the new runtime. Once all federations are migrated over we can remove the IFIM 6 runtime from the mix.

Are there any limitations or risks to using option 2. Why should I consider option 1?

Krishna

------------------------------
Krishna Baddam
------------------------------

Original Message:
Sent: Thu February 06, 2020 08:12 AM
From: Sylvain Gilbert
Subject: Calling TFIM customers

Hi Krishna, in addition to Rama's recommendation, I would like to share that we did opted in our migration strategy (suggested by Rama) to first replace our ISAM V7 PoC with ISAM V9 PoC while still running our federations for some time on ITFIM 6.2.2.

In addition, you still have 2 choices: migrate one fed at the time or instead all those feds behind a given PoC all at the same time. That depends on different factors namely the numbers of feds behind a PoC, the risk you can assume and how flexible your setup is in non-PROD to allow testing up the existing feds in isolated environment first with ISAM V9 federation module.

This question must be raised as if you plan to migrate one fed at the time, moving from let's say from /FIM junction (your existing ITFIM 6.2.2) to an hypothetical /isam junction (your new ISAM 9 Federation module setup), this will affect your fed URL that partners use to redirect/post SAML sign-on/sign-out requests. This means further you must coordinate with every one of them to make the change (both PoC and URL) on both ends at the same time not excluding the possibility of enforcing some URL rewriting from old to new ones to ensure old bookmarked fed URLs are not suddenly blocking your end-users out.
Some customers with relatively "low" number of feds behind a given PoC (10 or less) may opt to preserve their existing /FIM junction in place but redirect its traffic to ISAM 9 federation module all at once given that all of them can be tested at the same time. If well prepared, and all new federations configurations (keys, mapping rules, etc.) have all been pre-loaded ahead of time in ISAM 9 fed module appliances (presumably with Ansible playbooks with confidence building-up its way up in all your working non-PROD environments) then going live with ISAM 9 fed module in Production should not be as demanding or risky as it may look at first.

Thereafter, if you want to move away eventually from your "legacy" /FIM junction (connected to ISAM V9 fed module) , you can still plan it at some other time, one fed at the time. You could opt also that all your new feds will rely on your new /isam fed URI going forwards and then your number of legacy /FIM feds will shrink nicely over time.

What is your most important business driver here ? Moving out of ITFIM 6.2.2 rapidly because its EOS date has been reached out already, or else adopting new features from ISAM v9, etc …
So, lots to think in your migration planning.

But more importantly, we did have to make some little adjustments on our end in the ISAM PoC /FIM when we transferred it over from V7 to ISAM V9 federation module so make sure you can test everything out in a non-Production environment first.

Happy migration.

------------------------------
Sylvain Gilbert

Original Message:
Sent: Wed February 05, 2020 02:33 PM
From: Rama Yenumula
Subject: Calling TFIM customers

Hi Krishna, Both TFIM WebSphere runtime and ISAM Liberty Runtime run isolated.  If you have separate entry points for POC (/fim and /isam) into sps, both runtimes can co-exist and ensures requests are going to correct federation runtime. If you have same POC for both TFIM and ISAM, then you could add both TFIM/ISAM runtime servers to junctions and control the backends using Server Offline.

server task instance_name-webseald-host_name offline [–i server_uuid] junction_point



Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Wed February 05, 2020 02:03 PM
From: Krishna Baddam
Subject: Calling TFIM customers

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

I just realized that with option 2, once we  bring ISAM 9 federation runtime online, it applies to all federations. For a phased migration I have to use option 1 with some URL rewriting/redirection.

------------------------------
Krishna Baddam
------------------------------

Original Message:
Sent: Thu February 06, 2020 11:49 AM
From: Krishna Baddam
Subject: Calling TFIM customers

Rama and Sylvian thanks for your responses. We have large number of federeations. The driver for migration is IFIM 6 being out of support. However there is no real urgency that we do a bing bang conversion.  Changing the URLs used by partners is the last thing we would consider. If I understand correctly for one fed at a time migration I have two options:

Option 1. Setup two entry point on ISAM 9 /fim with IFIM 6 runtime and /isam with ISAM 9 federation runtime. Working with partners we can migrate each federation from IFIM 6 to ISAM 9 over time. This would require changes to URLs. This will let us use new attribute sources and other new fucntionality available in ISAM 9 federation.

Option 2. Setup just one entry point /fim on ISAM 9 with IFIM 6 and ISAM 9 federation run time servers and control which runtime is active by setting the other to offline as suggested by Rama. This would not require URL changes and no impact to partners. I will still be able to use new features offered by ISAM 9 federation runtime for the ones migrated over to the new runtime. Once all federations are migrated over we can remove the IFIM 6 runtime from the mix.

Are there any limitations or risks to using option 2. Why should I consider option 1?

Krishna

------------------------------
Krishna Baddam

Original Message:
Sent: Thu February 06, 2020 08:12 AM
From: Sylvain Gilbert
Subject: Calling TFIM customers

Hi Krishna, in addition to Rama's recommendation, I would like to share that we did opted in our migration strategy (suggested by Rama) to first replace our ISAM V7 PoC with ISAM V9 PoC while still running our federations for some time on ITFIM 6.2.2.

In addition, you still have 2 choices: migrate one fed at the time or instead all those feds behind a given PoC all at the same time. That depends on different factors namely the numbers of feds behind a PoC, the risk you can assume and how flexible your setup is in non-PROD to allow testing up the existing feds in isolated environment first with ISAM V9 federation module.

This question must be raised as if you plan to migrate one fed at the time, moving from let's say from /FIM junction (your existing ITFIM 6.2.2) to an hypothetical /isam junction (your new ISAM 9 Federation module setup), this will affect your fed URL that partners use to redirect/post SAML sign-on/sign-out requests. This means further you must coordinate with every one of them to make the change (both PoC and URL) on both ends at the same time not excluding the possibility of enforcing some URL rewriting from old to new ones to ensure old bookmarked fed URLs are not suddenly blocking your end-users out.
Some customers with relatively "low" number of feds behind a given PoC (10 or less) may opt to preserve their existing /FIM junction in place but redirect its traffic to ISAM 9 federation module all at once given that all of them can be tested at the same time. If well prepared, and all new federations configurations (keys, mapping rules, etc.) have all been pre-loaded ahead of time in ISAM 9 fed module appliances (presumably with Ansible playbooks with confidence building-up its way up in all your working non-PROD environments) then going live with ISAM 9 fed module in Production should not be as demanding or risky as it may look at first.

Thereafter, if you want to move away eventually from your "legacy" /FIM junction (connected to ISAM V9 fed module) , you can still plan it at some other time, one fed at the time. You could opt also that all your new feds will rely on your new /isam fed URI going forwards and then your number of legacy /FIM feds will shrink nicely over time.

What is your most important business driver here ? Moving out of ITFIM 6.2.2 rapidly because its EOS date has been reached out already, or else adopting new features from ISAM v9, etc …
So, lots to think in your migration planning.

But more importantly, we did have to make some little adjustments on our end in the ISAM PoC /FIM when we transferred it over from V7 to ISAM V9 federation module so make sure you can test everything out in a non-Production environment first.

Happy migration.

------------------------------
Sylvain Gilbert

Original Message:
Sent: Wed February 05, 2020 02:33 PM
From: Rama Yenumula
Subject: Calling TFIM customers

Hi Krishna, Both TFIM WebSphere runtime and ISAM Liberty Runtime run isolated.  If you have separate entry points for POC (/fim and /isam) into sps, both runtimes can co-exist and ensures requests are going to correct federation runtime. If you have same POC for both TFIM and ISAM, then you could add both TFIM/ISAM runtime servers to junctions and control the backends using Server Offline.

server task instance_name-webseald-host_name offline [–i server_uuid] junction_point



Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Wed February 05, 2020 02:03 PM
From: Krishna Baddam
Subject: Calling TFIM customers

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

With option 2, Yes! It applies to all Feds using the corresponding PointOfContact(POC)



Regards,
Rama

------------------------------
Rama Yenumula
------------------------------

Original Message:
Sent: Thu February 06, 2020 01:06 PM
From: Krishna Baddam
Subject: Calling TFIM customers

I just realized that with option 2, once we  bring ISAM 9 federation runtime online, it applies to all federations. For a phased migration I have to use option 1 with some URL rewriting/redirection.

------------------------------
Krishna Baddam

Original Message:
Sent: Thu February 06, 2020 11:49 AM
From: Krishna Baddam
Subject: Calling TFIM customers

Rama and Sylvian thanks for your responses. We have large number of federeations. The driver for migration is IFIM 6 being out of support. However there is no real urgency that we do a bing bang conversion.  Changing the URLs used by partners is the last thing we would consider. If I understand correctly for one fed at a time migration I have two options:

Option 1. Setup two entry point on ISAM 9 /fim with IFIM 6 runtime and /isam with ISAM 9 federation runtime. Working with partners we can migrate each federation from IFIM 6 to ISAM 9 over time. This would require changes to URLs. This will let us use new attribute sources and other new fucntionality available in ISAM 9 federation.

Option 2. Setup just one entry point /fim on ISAM 9 with IFIM 6 and ISAM 9 federation run time servers and control which runtime is active by setting the other to offline as suggested by Rama. This would not require URL changes and no impact to partners. I will still be able to use new features offered by ISAM 9 federation runtime for the ones migrated over to the new runtime. Once all federations are migrated over we can remove the IFIM 6 runtime from the mix.

Are there any limitations or risks to using option 2. Why should I consider option 1?

Krishna

------------------------------
Krishna Baddam

Original Message:
Sent: Thu February 06, 2020 08:12 AM
From: Sylvain Gilbert
Subject: Calling TFIM customers

Hi Krishna, in addition to Rama's recommendation, I would like to share that we did opted in our migration strategy (suggested by Rama) to first replace our ISAM V7 PoC with ISAM V9 PoC while still running our federations for some time on ITFIM 6.2.2.

In addition, you still have 2 choices: migrate one fed at the time or instead all those feds behind a given PoC all at the same time. That depends on different factors namely the numbers of feds behind a PoC, the risk you can assume and how flexible your setup is in non-PROD to allow testing up the existing feds in isolated environment first with ISAM V9 federation module.

This question must be raised as if you plan to migrate one fed at the time, moving from let's say from /FIM junction (your existing ITFIM 6.2.2) to an hypothetical /isam junction (your new ISAM 9 Federation module setup), this will affect your fed URL that partners use to redirect/post SAML sign-on/sign-out requests. This means further you must coordinate with every one of them to make the change (both PoC and URL) on both ends at the same time not excluding the possibility of enforcing some URL rewriting from old to new ones to ensure old bookmarked fed URLs are not suddenly blocking your end-users out.
Some customers with relatively "low" number of feds behind a given PoC (10 or less) may opt to preserve their existing /FIM junction in place but redirect its traffic to ISAM 9 federation module all at once given that all of them can be tested at the same time. If well prepared, and all new federations configurations (keys, mapping rules, etc.) have all been pre-loaded ahead of time in ISAM 9 fed module appliances (presumably with Ansible playbooks with confidence building-up its way up in all your working non-PROD environments) then going live with ISAM 9 fed module in Production should not be as demanding or risky as it may look at first.

Thereafter, if you want to move away eventually from your "legacy" /FIM junction (connected to ISAM V9 fed module) , you can still plan it at some other time, one fed at the time. You could opt also that all your new feds will rely on your new /isam fed URI going forwards and then your number of legacy /FIM feds will shrink nicely over time.

What is your most important business driver here ? Moving out of ITFIM 6.2.2 rapidly because its EOS date has been reached out already, or else adopting new features from ISAM v9, etc …
So, lots to think in your migration planning.

But more importantly, we did have to make some little adjustments on our end in the ISAM PoC /FIM when we transferred it over from V7 to ISAM V9 federation module so make sure you can test everything out in a non-Production environment first.

Happy migration.

------------------------------
Sylvain Gilbert

Original Message:
Sent: Wed February 05, 2020 02:33 PM
From: Rama Yenumula
Subject: Calling TFIM customers

Hi Krishna, Both TFIM WebSphere runtime and ISAM Liberty Runtime run isolated.  If you have separate entry points for POC (/fim and /isam) into sps, both runtimes can co-exist and ensures requests are going to correct federation runtime. If you have same POC for both TFIM and ISAM, then you could add both TFIM/ISAM runtime servers to junctions and control the backends using Server Offline.

server task instance_name-webseald-host_name offline [–i server_uuid] junction_point



Regards,
Rama

------------------------------
Rama Yenumula

Original Message:
Sent: Wed February 05, 2020 02:03 PM
From: Krishna Baddam
Subject: Calling TFIM customers

Is it possible for IFIM 6.2 and ISAM 9 federation run times coexist during migration. We want to migrate the IFIM 6.2 point of contact webseal to ISAM 9 and create the same junction /fed/sps.  We would like to migrate the federations one at time. The migrated federation points to the new run time while the old federations still point to the old run time.

------------------------------
Krishna Baddam

Original Message:
Sent: Tue March 26, 2019 04:21 AM
From: Jon Harry
Subject: Calling TFIM customers

Hello everyone,

If you are still using Tivoli Federated Identity Manager, you are hopefully already aware that this product goes End Of Support in September this year.

The development team are asking anyone still using TFIM to complete a survey so they can better understand any reasons preventing migration to ISAM so that everyone can have a smooth transition.

The survey is linked from the following blog post:
https://www.ibm.com/blogs/security-identity-access/calling-all-ibm-tivoli-federated-identity-manager-customers/

Cheers... Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------