There are many reasons why the source of truth may be changed. Not all attributes originate from the one source, however, there is typically one specific application that represents the authority for the identity in general. Other authoritative sources may be authoritative for specific attributes rather than the whole identity with these attributes combined into the identity data to associate the specific detail to the identity such as email address or phone number.
With the source of truth, the identity vault or store and the target applications or directories, one key attribute ensures that the identity in each of these remains linked by the identity management platform. This attribute is known as the Unique identifier and is typically represented by a number. It needs to remain unique for each identity to ensure that data is synchronised for the managed identity throughout the entire environment.
Adding a target application that already has identities loaded in it, requires first that each of the existing identities is matched to the identities in the identity store and the unique identifier is added to the target identity to ensure ongoing synchronisation of identity information can occur between the source and target systems.
Changing the source application is a much more difficult process as the unique identifier in the original source needs to be added to the new source identity data so as to match the existing identity store identities before the new source applications unique identifier can be used to replace the old sources unique ID. Each application tends to use a different unique identifier making the process difficult with specific care required to ensure each identity remains independent and that the new source data continues to provide updates applicable to each identity independently.
The process to replace an existing source of truth is long and painstaking with care required to ensure identities are not deleted or duplicated and source data is not inadvertently associated with the wrong target account.
The advent of cloud services has heralded a wave of applications previously the domain of expensive on-premise based systems, with a service model. HR, Student Management and Finance systems are now delivered as service offerings with consumption pricing provided through a range of alternative models as well. The majority of these systems fulfill roles that are recognised as authoritative with respect to their ownership of identity data within an organisation, and as such become critical in the overall design of the identity management solution for an organisation. In many cases, the migration to a new source of truth seldom considers the effort required to migrate the identity management system to the new source and it is often left with minimal budget and time to complete the work. I strongly urge organisations considering this change to include the migration of the identity platforms source of truth within the scope of the migration work. Without this consideration, the potential effort to maintain the provisioning and security provided through the identity management platform will need to be delivered manually by the service desk or admin staff resulting in additional strain on already stretched services with additional potential to compromise the organisations security.