Escape the Forest: Migrate from Active Directory to Flex

A Phased Approach to Migrate Off Active Directory

For many enterprises, Microsoft Active Directory (AD) has long been the cornerstone of workforce identity. It's tightly woven into business processes, applications, and user habits—especially for things like password changes and desktop login routines. However, AD is showing its age. With Microsoft inching closer to dropping full support, and mounting security vulnerabilities making AD a prime target in cyberattacks, organizations must consider their long-term identity strategy.

It's clear that Microsoft wants your enteprise to migrate to Azure AD--which is just cloud identity. So enterprise that need data sovereignty must launch their own cloud identity infrastructure. But the move to cloud identity needs to be phased, so one distinct component or business process can be updated at a time.

The diagram above presents the first phase of a migration approach using Gluu Flex. It demonstrates how enterprises can introduce a modern, cloud-native identity platform without breaking existing workflows. The strategy? Keep AD for now—but start minimizing your reliance on it. Here's how it works.

The Migration Strategy in a Nutshell

At the heart of the diagram is Gluu Flex, a comprehensive identity platform designed to support modern protocols (OpenID Connect, OAuth, SAML, UMA, FIDO) while enabling centralized governance through a Central Policy Repository. The diagram shows how Gluu Flex is introduced into the existing AD-centric environment, acting as a new control plane for authentication and access, while still leveraging AD as the system of record for workforce identity in the short term.

Step 1: Sync Users from Active Directory

To begin, Janssen Link is configured to synchronize identity data from AD to the Flex RDBMS. This means that users already being created, updated, or deleted in AD—via enterprise HR processes, IT automation, or manual workflows—are automatically mirrored in Gluu Flex. This preserves business continuity without introducing any disruption to how workforce identity is managed operationally.

Importantly, passwords are not synced. That’s intentional. AD uses a proprietary password hashing algorithm, which is not transferable. Instead, authentication continues to point back to AD, using LDAP bind operations for password validation. Users still press Ctrl+Alt+Delete to change their password, and those credentials remain valid for login, but the rest of identity services are now moving to Gluu Flex.

Step 2: Minimize AD Dependency While Maintaining Stability

This phase is all about minimizing risk. For now, let AD continue to manage passwords and act as the identity source of truth. It’s familiar. It’s embedded in IT processes. And replacing it overnight is neither practical nor necessary.

But it's critical to understand that this is an interim state. As stated, AD is "very old," and support will soon become prohibitively expensive. Doubling down on it now—such as by introducing new dependencies or deploying new AD-integrated software—is a mistake. It’s the most likely component to be compromised during an attack, and hackers often target domain controller privileges early in their lateral movement.

So instead, use AD’s stability and institutional inertia to your advantage—not as a reason to entrench, but as a bridge to a safer, more flexible future.

Step 3: Move to Cloud Identity

What does that look like? Simple--all Web applications should use OpenID Connect for user authentication; all other applications should use OAuth for user authentication. Don't allow any new applications to connect to AD using LDAP authentication. Migrate any existing apps away from LDAP to OpenID Connect. This will enable the domain to easily orchestrate login workflows that are appropriate for different devices and security contexts.

The diagram highlights how Gluu Flex supports a number of modern standard authentication and authorization APIs:

• OpenID Connect & OAuth for authentication and delegated access
• SAML for legacy apps
• FIDO for passkey and security key authentication
• SCIM for user provisioning (although you might not want to use this if you're syncing users from Active Directory)
• UMA for "Alice to Bob" sharing

Once applications authenticate against Gluu Flex instead of AD, AD’s role in the enterprise identity stack is frozen and can decline. Applications don’t need to speak LDAP anymore. RIP Kerberos! This is where costs begin to decline. By using Gluu Flex as the new authoritative identity and policy engine, organizations can consolidate application onboarding, eliminate redundant integrations, and reduce their Microsoft license footprint.

Ideally even Windows desktop login, VPN Login, and Wifi RADIUS authentication should all use OpenID Connect or OAuth.

Step 4: Establish Centralized Governance

A powerful feature of this architecture is the Central Policy Repository. All apps—whether web, mobile, or API-based—rely on centrally managed access policies. Gluu Flex also relies on centrally approved policies. Standardizing policy syntax and evaluation enables consistent enforcement and decision logging across the entire infrastructure.

Every authorization event—e.g., "Can this user access this API?"—is logged in the Decision Audit Logs component. This visibility enables governance, compliance, and forensic analysis. Over time, these logs help security teams validate who accessed what, when, and under what policy—something difficult to achieve with the more fragmented control AD offers.

Step 5: Plan for Password Transition

While this model permits AD to continue handling password changes via LDAP and native Windows workflows, the goal is to break the "Ctrl+Alt+Delete" dependency over time. Tools like Gluu’s Casa can be introduced for modern password self-service and account recovery, gradually retraining users and reducing reliance on AD password infrastructure.

When combined with modern authentication factors (e.g. passkeys and security keys), organizations can transition to passwordless authentication, further minimizing the attack surface of AD and its outdated password mechanisms.

Step 6: Sunset AD and Migrate Identity Mastering

The final phase is to retire AD as the identity master. Once most applications use Gluu Flex for authentication and AD is no longer the point of control, user mastering can shift to a modern Identity Governance and Administration (IGA) solution connected to Gluu.

The diagram shows an IDM/IGA system on the far right, also integrated with the central policy store. This is where lifecycle management transitions—Joiner, Leaver, Mover events—are orchestrated without involving AD. New users can be created directly in Gluu Flex or provisioned from an HR system. Passwords can be managed through modern credential management tools or federated identity providers.

Eventually, the Link synchronization becomes obsolete—Gluu Flex becomes the new authoritative identity store.

Final Thoughts: The Clock Is Ticking on AD

There’s no need for alarmist replatforming, but the message is clear: don’t invest further in Active Directory. Follow Microsoft's lead--even they are moving to cloud identity. This architecture offers a smart, phased approach. It recognizes current operational realities (AD is embedded, users are trained, IT workflows depend on it) while positioning your infrastructure for a more secure, standards-based future.

By introducing Gluu Flex in this way, enterprises can:

• Lower risk by reducing AD attack surface
• Improve agility by supporting modern protocols
• Cut costs by eliminating legacy integrations and licenses
• Centralize governance for easier audits and compliance

Gluu Flex becomes the bridge from a legacy identity model to a modern one—without breaking what's already working. But it also helps avoid a future where you’re still paying jillions to support a 25-year-old Microsoft product whose best days are long behind it.