How to Migrate Between CIAM Platforms: A Vendor-Agnostic Framework
Updated 2026-06-08 · 16 min read · By @guptadeepak
Key takeaways
- Every CIAM migration is roughly 80% the same five phases; the 20% that differs is export friction and import capability.
- Know what does not migrate first: passkeys (re-enroll), refresh tokens and sessions (lost at cutover), custom logic (rewrite).
- Password-hash portability is the gating question; if the source will not export hashes, migrate just-in-time on next login.
- Choose the destination by what you are escaping, not by brand. The right answer differs per reason.
- Security teams judge a migration on credential security in transit, audit continuity, rollback, downtime, and residency.
Why one framework covers every pair
Whether you are moving off Auth0, Ping, Microsoft Entra External ID (Azure AD B2C), Stytch, Descope, Cognito, Firebase, or an older suite, the work is the same shape. You inventory what you have, stand up the destination, move users and credentials, run both in parallel, then cut over and decommission. The vendor-specific runbooks differ only in the import API, the hash schemes supported, and how the old platform's custom logic maps to the new one. Learn the framework once and every migration becomes a known quantity.
What migrates, and what does not
This is the table to internalize before you plan anything. Getting a surprise here is what turns a clean migration into an incident.
| Item | Migrates? | What to plan |
|---|---|---|
| Password hashes | Sometimes | Portable only if the source exports them and the destination supports the scheme (usually bcrypt). Source-side gating is the common blocker. |
| Passwordless / passkeys (WebAuthn) | No | Bound to the relying-party origin. Users re-enroll on the new platform; keep a fallback method during transition. |
| TOTP / MFA enrollments | Sometimes | Migrate only if TOTP secrets can be exported; otherwise users re-enroll. SMS/email OTP needs no migration. |
| Refresh tokens and active sessions | No | Lost at cutover. Everyone re-authenticates. Communicate the forced re-login. |
| Custom logic (Actions, Rules, hooks, Lambdas) | No | A rewrite, not an export. This usually dominates the engineering estimate. |
| Social and enterprise connections (SAML/OIDC) | Reconfigure | Re-create each IdP connection and re-validate the round trip per tenant. |
| User profile and metadata | Yes | Export and map fields; preserve email-verified status so users are not re-prompted. |
| Roles, organizations, tenants | Yes, with remodeling | Map the source tenancy model to the destination's; B2B Organizations rarely map one to one. |
| Consent and preference records | Yes, with care | Migrate consent state to preserve compliance continuity; do not silently reset it. |
| Audit log history | Export and archive | Rarely importable. Export the old logs for your retention and compliance trail before decommission. |
The five-phase playbook
Every migration runs these phases. Depth varies; the sequence does not.
- Discovery and inventory. Catalog every custom Action or Rule, every connection, your tenancy structure, the claims your app consumes, and, critically, your credential-export options. Timelines track custom-logic complexity and export friction, not user count.
- Stand up the destination. Deploy it production-grade, model tenants and applications, re-implement custom logic in the destination's extension model, and recreate identity-provider connections.
- User and credential import. Bulk-import with hashes when the source cooperates; otherwise migrate just-in-time on next login and plan a reset for the inactive tail. Carry over metadata, roles, and verified status.
- Dual-run and validate. Run both platforms, route a growing share of traffic to the destination, and compare token claims field by field across every critical flow.
- Cutover and decommission. Flip the default, hold the old platform in read-only standby for a short rollback window, archive its logs, then close it.
For step-by-step depth, see the worked runbooks: Auth0 to FusionAuth, Auth0 to self-hosted, and Cognito to a managed platform.
Source-side friction: getting your data out
The hardest part of most migrations is not the destination, it is the exit. Audit these on the platform you are leaving:
- Password hashes. Bulk user export is common; hash export is often gated behind a support ticket or a paid tier. Confirm your exact plan's policy before promising a no-reset migration.
- MFA secrets. TOTP seed export is frequently restricted; assume re-enrollment unless you confirm otherwise.
- Custom logic. It is not exportable as data. Inventory it as code to re-implement.
- Audit history. Export it for your records; you will rarely be able to import it into the destination.
Destination-side capability: getting your data in
Match the exit constraints to what the destination accepts:
- Bulk import API with hashes is the smoothest path when you have the hashes and the destination supports the scheme.
- Just-in-time / connector migration validates against the old system on first login and rehashes into the new one. This is the standard answer when hashes are unavailable.
- Tenancy and Organizations modeling is where managed-to-managed and managed-to-self-hosted migrations diverge most; confirm the destination can express your B2B structure before committing.
Each vendor profile carries an migration_difficulty score for inbound and
outbound moves (1 easy to 5 hard), so you can gauge both sides before you
start. Read both the source's outbound score and the destination's inbound
score in the vendor index.
Choose your destination by what you are escaping
There is no universal "migrate to X." The right destination is set by the reason you are leaving. Each path below links the neutral alternatives analysis that ranks the options on the same matrix.
- Escaping per-MAU cost at scale. Self-host to remove the per-user line item (FusionAuth, Keycloak), or move to per-organization pricing for B2B (SSOJet). See Auth0 alternatives and open source CIAM.
- Need B2C passwordless and simpler scale. Passwordless-first platforms fit here (MojoAuth for passwordless B2C across the 100k to 1M MAU range, Stytch for passkey-first primitives). See Firebase alternatives.
- Need budget B2B Enterprise SSO and SCIM. Enterprise-readiness layers and per-org pricing fit (WorkOS, SSOJet). See the B2B SaaS vertical.
- Need sovereignty or self-hosting. Open-source, self-hosted platforms (Keycloak, FusionAuth, Zitadel, Ory). See open source CIAM.
- Forced off an end-of-life platform (for example Azure AD B2C). Pick by whether you stay in the same cloud or leave it. See Microsoft Entra alternatives.
- Leaving an established all-in-one suite. Decide managed (a broad platform like Auth0), self-hosted (FusionAuth, Keycloak), or build in-house, and read build vs buy before choosing to build, because the unhappy paths dominate that work.
If you are not sure which reason dominates, the vendor selector narrows the field in six questions, and Start here works the full decision in order.
How security and identity teams evaluate a migration
A migration is a security event, not just an engineering one. The questions identity and security reviewers actually ask:
- Credential security in transit. How are password hashes, secrets, and PII moved between platforms? Encrypted transfer, least-privilege access, and no credentials in logs or tickets.
- Audit continuity. Is there an unbroken audit trail across the cutover? Export and archive the old platform's logs so the record survives decommission.
- Rollback. If the destination misbehaves, can you fail back? Keep the old platform in read-only standby for a defined window.
- Downtime and blast radius. Is cutover a hard switch or a gradual ramp? Canary internal users, then a percentage, then the bulk.
- Data residency and compliance. Does data stay in-region throughout the move, and does the destination hold the same attestations? Residency can be violated mid-migration if a staging environment sits in the wrong region.
- Forced re-authentication and MFA re-enrollment. Communicate it, keep a fallback method live, and watch enrollment rates after cutover.
Treat these as gates, not afterthoughts. A migration that lands on feature parity but breaks the audit trail or leaks hashes in a support ticket is a failed migration, regardless of how clean the new login screen looks.
The framework in one view
- What migrates (and what does not) sets your hard constraints.
- The five phases structure the work; depth varies, sequence does not.
- Export friction and import capability decide whether users notice.
- What you are escaping picks the destination, not the brand.
- Security gates (credentials, audit, rollback, residency) decide whether the migration is actually done.
Learn this once and any CIAM migration, from any platform to any platform, becomes a planned, reviewable project instead of a leap.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Microsoft Entra External ID
Microsoft Entra External ID went GA in September 2024 as the modern successor to Azure AD B2C, which entered end-of-sale to new customers on May 1, 2025 and retires existing B2C tenants on March 15, 2026, every Azure AD B2C customer should be in active migration. Entra External ID is the right CIAM choice when the organization is already standardized on Microsoft 365 and Azure, and when FedRAMP High or strict Microsoft-shop compliance is required. The materially modernized policy model and DX (vs B2C) close part of the gap, but still trail the developer-first tier on velocity and ergonomics. Outside Microsoft-native architectures, the integration story rarely justifies the friction.
FusionAuth
FusionAuth is the right answer when you want self-hosted CIAM without taking on Keycloak's operational weight, and want the option to switch to managed without changing vendors. Single-binary deploy, modern docs, and a genuinely usable Community tier make it the practical default for self-host evaluations in 2026, particularly for B2C and mid-market B2B SaaS that don't need FedRAMP or Zanzibar-style FGA.
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
MojoAuth
MojoAuth is a B2C CIAM specialist focused on modern passwordless and enterprise-grade auth for consumer apps. Passwordless orchestration (passkeys, magic links, OTP) is well above the market median; SAML / OIDC / adaptive MFA bring enterprise-tier features into B2C pricing tiers; consent management is unusually mature. Consumer apps evaluating Auth0 alternatives at the 100k–1M MAU band should put MojoAuth on the shortlist alongside Stytch and Descope.
SSOJet
SSOJet has emerged as a credible modern CIAM for B2B SaaS that needs Enterprise SSO + SCIM without paying WorkOS or Auth0 prices, with a product surface and DX that matches the developer-first tier. The 100k MAU free tier plus per-organization billing makes the unit economics genuinely competitive. The trade-offs are a younger ecosystem and narrower B2C feature set; for B2B-first SaaS that doesn't need consumer flows, SSOJet deserves shortlisting alongside WorkOS, Frontegg, and Auth0 B2B.
Stytch
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
FAQ
- Can I migrate without forcing my users to reset their passwords?
- Only if the source platform will give you the password hashes and the destination can import that hash scheme. Most platforms store bcrypt or a similar adaptive hash, and most destinations can import it, so a seamless migration is possible when the source cooperates. The blocker is usually source-side: some platforms gate hash export behind a support request or a higher plan tier. When you cannot get the hashes, the answer is just-in-time migration (validate against the old system on next login, then rehash into the new one) plus a forced reset for users who never return.
- Why can't passkeys be migrated?
- A passkey (WebAuthn credential) is cryptographically bound to the relying-party identifier and origin it was created for. It is not an exportable secret you can move between providers. After a migration, users re-register their passkeys against the new platform. Plan the re-enrollment prompt and keep a fallback authentication method available during the transition.
- How long should I run the old and new platforms in parallel?
- Long enough to validate every critical flow and to let the active-user tail migrate, typically two to four weeks for a mid-market deployment. Bulk-import migrations can run a shorter window because users are already in the new system; just-in-time migrations need a longer window so enough users log in to migrate organically before you force-reset the remainder.
- Which destination should I migrate to?
- It depends entirely on why you are leaving. Escaping per-MAU cost points toward self-hosting or per-organization pricing; needing B2C passwordless points toward passwordless specialists; needing budget B2B SSO points toward enterprise-readiness layers; needing sovereignty points toward open-source self-hosting. The 'choose your destination' section below maps each reason to the fitting options, and the alternatives pages rank them on the same matrix.
Sources
- CIAM Compass vendor index, capability matrix, and migration_difficulty scores
- CIAM Compass alternatives analyses
- OAuth 2.1 and OpenID Connect specifications
- FIDO Alliance WebAuthn and passkey guidance