Best strategy for moving users between database connections

This is how the scenario looks like:

In a near future we are going live with our site that uses Auth0 as an IdP for the users that want to log in to the site. After a couple of months when this site has been live we will need to migrate hundreds of accounts from another IdP to Auth0.

I have made PoC to verify that it is possible to make this migration seamless with the other IdP by using “Database action scripts” in Auth0. However to use this feature I will need to start with an empty database.

As I understand it, that would mean that I would have two databases with users that I want to migrate to a new database in Auth0, one from another IdP and one from Auth0 (on the same tenant) when it’s time to start the migration from the other IdP.

Is there any strategy I can use to make it easier the day we enable the migration from the other IdP, since we haven’t yet made our initial release of the site?

As I understand it is not possible to migrate users and keep there passwords internally in Auth0, so the option to use the export/import extension is not an option (or at least one that I want to avoid if possible).

The hypothesis I have now is to create a database in Auth0 where the “Database action scripts” are enabled from starts with some dummy functionality so that the need for migrating the Auth0 database is not needed. However I’m not sure that this is a good solution to the problem.

So, am I on right path or is there a better way to handle this problem?

Hi @lgtm

You may be able to do it using the “dummy” migration scripts. Be aware you must take into consideration accounts that exist in both IDPs, and make sure the behavior you get is consistent and reasonable.

It is probably better to do a bulk import. Auth0 does allow importing with password hashes, and supports many different password hash formats. If you can export the hashes from the other IDP, this is the way to go. Check out the management API jobs section for docs on bulk import, and dig into that to find the password hashes supported.


1 Like

Great, thanks for your reply @john.gateley!

Unfortunately we do not have the option to do the bulk import since we will not be able to include the password hashes from the other IdP. I will dig into the documentation about the bulk imports a little bit more though. Maybe an import without password still would be a better choice anyway than setting up a migration script and handle that process. It will reduce the technical complexity but lower the UX when switching IdP.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.