User Data Migration
Overview
Oftentimes you are migrating to FusionAuth from another solution, whether it be homegrown or another vendor.
These guides and resources will help you understand and scope the migration process.
There are multiple methods you can use to migrate users into FusionAuth.
- Bulk migration
- Connectors
- SCIM
- The User API
The FusionAuth migration guide has general migration guidance, strategies and help.
Migration From Another Provider
When you are migrating from another provider, you can do a bulk or slow migration.
Bulk Migration
Bulk migration lets you import users at one point in time, making for a clean cutover. You can import password hashes, including hashes performed with a custom, non-standard algorithm, making a migration seamless to your users. You use the User Import API to perform this. You can also import refresh tokens, which helps if you want your users to be able to refresh access tokens transparently. When using the User Import API you should import with batches of less than 10,000 users per request. After completing a migration you should reindex of the Elasticsearch database as well.
A bulk migration is a good choice when you:
- want to migrate users all at once
- are migrating into a new FusionAuth instance
- have access to password hashes from a previous auth system
Slow Migration
With a slow migration, you move users one at a time, when they log in. You keep the other system running and set up a connection between them. This means you don’t have to have access to the underlying password hashes or other user information. With FusionAuth, you implement a slow migration using Connectors.
A slow migration is a good choice when you:
- don’t have access to password hashes or other data from a previous auth system
- are okay running two different auth systems for a while
Provider Specific Migration Guides
Whether you are bulk migrating your users or performing a slow migration, if you are moving from another provider, there may be specific tasks to perform or concepts to understand. Here are
- Auth0 - how to migrate from Auth0 to FusionAuth
- Microsoft Azure AD B2C - how to migrate from Microsoft Azure AD B2C to FusionAuth
- Cognito - how to migrate from Amazon Cognito to FusionAuth
- Duende IdentityServer - how to migrate from Duende IdentityServer to FusionAuth
- Firebase - how to migrate from Firebase to FusionAuth
- ForgeRock - how to migrate from ForgeRock to FusionAuth
- Keycloak - how to migrate from Keycloak to FusionAuth
- Ping Identity - how to migrate from Ping Identity to FusionAuth
- Supabase - how to migrate from Supabase to FusionAuth
- Tutorial - how to migrate from an example homegrown user database to FusionAuth
If you are working with an identity datastore not listed above, please open an issue in our GitHub repository with details.
Connectors
This feature is only available in paid plans. Please visit our pricing page to learn more.
Connectors allow you to migrate users one by one transparently. This is called a slow or drip migration, because each user is migrated at the time of login.
A slow migration is a good choice when you:
- are migrating from a system which doesn’t allow access to password hashes
- are migrating users into a FusionAuth instance with existing users
Learn more about slow migrations or how to use Connectors with FusionAuth.
SCIM
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
System for Cross-domain Identity Management, or SCIM allows you to migrate and provision users from other systems such as Azure AD or Okta into FusionAuth.
SCIM is a good choice when you:
- need continuous user migration as well as user account deactivation
- have a source of user data that supports SCIM and is a SCIM client
Learn more about SCIM or how to use SCIM with FusionAuth.
The User API
You can migrate users one by one basis using the Create User API. This is typically done using a client library. With this method, you cannot migrate the user’s password.
The User API is a good choice when you:
- have a few users to migrate
- don’t have passwords for users, such as when they authenticated using a social provider like Google
- are migrating users into a FusionAuth instance with existing users
Other Useful Migration Resources
- Plugins - custom password hashing support, so that you can migrate without requiring your users to change their password
- APIs - Migrate data and configuration using the APIs
- Client libraries - use the language of your choice to make FusionAuth API calls
- Connectors - implement a gradual migration using this feature
- Import scripts - open source scripts to import from CSV, Auth0 and more
- FusionAuth Plans - some plans include FusionAuth team support for data migration
Further Assistance
If you need assistance migrating to FusionAuth, please ask a question in the FusionAuth forum or contact us to discuss support options.
If you have a plan with engineering support, you may open a support request from your account.