midPoint Implementation Methodology

How We Know Identity delivers production-ready identity platforms. Realistic scope, phased risk management, and documented handoff.

The essence: 5 phases, clear handoffs, managed risk

  • Discovery & Assessment establishes scope, current state, and architectural direction without rushing to build.
  • Architecture & Design produces a detailed blueprint for connectors, roles, governance, and deployment before a line of code is committed.
  • Core Build & Integration executes the system design with phased connector rollout, continuous testing, and documented progress.
  • Testing & UAT validates the entire platform against business requirements, security controls, and operational readiness before production.
  • Go-Live & Knowledge Transfer moves the system to production and hands it to your operations team with training, runbooks, and support continuity.

Why Methodology Matters

Identity platform implementations fail not because the technology is hard, but because the delivery is unclear. Organizations often start building before they understand their own identity landscape. When scope drifts, testing is cut short, or handoff is rushed, projects extend, budgets overrun, and operational maturity suffers.

We Know Identity uses a structured methodology because:

  • Scope clarity prevents scope creep. Explicit phase gates, documented deliverables, and shared acceptance criteria keep everyone aligned.
  • Architecture comes before build. A clear system design reduces rework, accelerates integration, and creates a maintainable platform your team can operate independently.
  • Testing is not optional. Comprehensive functional testing, integration testing, and UAT before go-live catch issues in controlled environments, not in production.
  • Parallel run and rollback are real. We design for safe cutover, including ability to revert if production issues emerge.
  • Knowledge transfer is planned, not rushed. Your team receives documentation, training, and validated runbooks so you own the platform from day one.

The Five Phases of WKI Implementation

Phase 1: Discovery & Assessment

Duration: 2–4 weeks | Typical involvement: weekly workshops + document review
What WKI Does:

  • Interview key stakeholders (IT, HR, security, audit) to document current identity processes and pain points.
  • Audit existing identity systems: directory structure, authoritative data sources, integration points, and current role model.
  • Document identity lifecycle flows: joiner, mover, leaver, contractor, role change, access request and approval processes.
  • Assess current compliance obligations and audit requirements.
  • Create a high-level target architecture showing midPoint placement, data source hierarchy, and connector scope.
  • Produce a scoped statement of work, timeline estimate, and resource requirements.
What You Provide:

  • Access to system owners, network, and current platform documentation.
  • Participant availability for discovery workshops.
  • Clarity on business priorities: what problems matter most?
  • Approval of the target architecture and statement of work before build begins.
Deliverables:

  • Current State Assessment Report (identity systems, data flows, integration points, compliance gaps).
  • Target Architecture Diagram (midPoint placement, data sources, connectors, deployment model).
  • Identity Lifecycle Process Documentation (joiner, mover, leaver, approvals, policy).
  • Connector Inventory & Integration Complexity Analysis.
  • Detailed Project Scope & Statement of Work.
  • Timeline & Resource Plan.

Phase 2: Architecture & Design

Duration: 3–5 weeks | Typical involvement: design reviews, approval checkpoints
What WKI Does:

  • Design the role model: attributes, role definitions, segregation of duties constraints, and governance rules.
  • Develop the connector strategy: technical approach for each data source (AD, HR system, databases, APIs), synchronization logic, and conflict resolution.
  • Design approval workflows and governance rules: who approves access requests, role changes, and sensitive operations.
  • Plan the deployment architecture: midPoint topology (single instance, high availability), database strategy, and backup/disaster recovery.
  • Create detailed integration specifications for each connector: data mapping, transformation rules, business logic.
  • Document operational procedures: deployment, monitoring, troubleshooting, and escalation paths.
What You Provide:

  • Feedback on role model and connector strategy in design review sessions.
  • Approval of governance rules and approval workflows.
  • Final sign-off on deployment architecture and operational procedures.
  • Confirmation of data mapping requirements for each connector.
Deliverables:

  • Role Model Design & Documentation.
  • Connector Technical Specifications (one per connector: data sources, mapping, transformation, business rules).
  • Approval Workflow & Governance Design.
  • Deployment Architecture & Infrastructure Plan.
  • Data Integration & Synchronization Strategy.
  • Operational Procedures & Runbooks (draft).

Phase 3: Core Build & Integration

Duration: 6–10 weeks | Typical involvement: monthly progress reviews, testing oversight
What WKI Does:

  • Configure midPoint core: users, roles, policy rules, and attribute definitions per the design.
  • Develop and test connectors for each integrated system, starting with primary data sources.
  • Implement approval workflows, governance rules, and access control policies.
  • Set up monitoring, logging, and alerting.
  • Perform continuous integration testing: verify data flow, transformation, and synchronization accuracy for each connector as it is built.
  • Document all customizations, configurations, and code in a configuration management repository.
  • Maintain a detailed test matrix tracking every feature and connector implementation.
What You Provide:

  • Test environment access and infrastructure (servers, networking, database).
  • Access to test data and sandbox credentials for connected systems.
  • Feedback during monthly progress reviews.
  • Clarification on edge cases and business rule exceptions.
  • Participate in integration testing to validate connector behavior against your business processes.
Deliverables:

  • Configured midPoint instance with all roles, policies, and rules.
  • Developed and integrated connectors for all target systems.
  • Test results documenting connector functionality and data accuracy.
  • Configuration documentation and code repository access.
  • Monitoring & alerting configuration.
  • Progress reports and integration test matrix.

Phase 4: Testing & UAT

Duration: 3–6 weeks | Typical involvement: dedicated test team, approval cycles
What WKI Does:

  • Conduct system testing: validate all features, policies, workflows, and integrations against requirements.
  • Execute functional testing for each connector, approval workflow, and governance rule.
  • Perform integration testing across connected systems: verify data consistency, synchronization timing, and conflict resolution.
  • Conduct security and compliance testing: access controls, audit logging, sensitive attribute handling, and policy enforcement.
  • Support your User Acceptance Testing (UAT) team: answer questions, investigate issues, provide test data, and track defects.
  • Manage UAT defects and changes: prioritize fixes, document workarounds, and validate resolutions.
  • Conduct load and performance testing: validate the system handles expected user and transaction volumes.
  • Test disaster recovery and rollback procedures in a non-production environment.
What You Provide:

  • Dedicated test team or UAT participants to execute business-process-focused test cases.
  • Test data (user records, role assignments, test scenarios aligned with your processes).
  • Approval authority to accept the system for production deployment.
  • Timely review and sign-off of defects and fixes.
  • Security and compliance review and approval.
Deliverables:

  • System & Functional Test Plan & Results.
  • Integration Test Report.
  • Security & Compliance Test Report.
  • Load & Performance Test Results.
  • Defect Log and Resolution Tracking.
  • UAT Support & Issue Resolution Documentation.
  • Disaster Recovery & Rollback Test Results.
  • Production Readiness Certification.

Phase 5: Go-Live & Knowledge Transfer

Duration: 2–4 weeks | Typical involvement: operational handoff, training, early support
What WKI Does:

  • Execute production cutover: data migration, system activation, connector synchronization, and verification that production data is correct.
  • Monitor midPoint and all connected systems closely during the first 48–72 hours post-go-live.
  • Conduct knowledge transfer sessions with your operations team on system administration, troubleshooting, and operations.
  • Deliver final documentation: operational runbooks, architecture documents, configuration change log, and support escalation procedures.
  • Provide on-call support during the first 2–4 weeks post-go-live to handle unforeseen issues.
  • Facilitate lessons-learned review and document recommendations for future enhancements.
What You Provide:

  • Final approval to proceed with production cutover.
  • Operations team availability for training and knowledge transfer.
  • Change control and change window scheduling.
  • Support for early production issues (prioritization, testing, approval of fixes).
  • Feedback and sign-off on final documentation.
Deliverables:

  • Production Cutover Plan & Execution Report.
  • Knowledge Transfer Training Sessions & Materials.
  • Final System Documentation & Architecture Records.
  • Operations & Support Runbooks.
  • Go-Live Support Log & Issue Resolution.
  • Configuration Management Repository with full source control and change history.
  • Lessons-Learned Report & Enhancement Recommendations.

How We Manage Delivery Risk

Delivery risk in midPoint implementations comes from scope uncertainty, integration complexity, and the criticality of identity systems. We control risk through structured phases, clear handoffs, and operational discipline.

Phased Gates & Approval Checkpoints

Each phase concludes with documented deliverables and formal acceptance by you. We do not proceed to the next phase until scope, architecture, or testing results are signed off. This prevents hidden surprises and keeps both parties aligned.

Continuous Testing & Quality Gates

We test as we build, not after. Every connector is tested individually before integration; every integration is tested before UAT. This catches issues early, when they are inexpensive to fix.

Parallel Run & Rollback Capability

Where feasible, we run the new midPoint platform in parallel with the existing identity systems for 1–2 weeks before cutover. This allows you to verify behavior in production conditions without affecting operations. We also design and test rollback procedures so you can revert to the previous state if production issues emerge.

Scope Governance & Change Control

Scope changes are documented, assessed for impact and schedule, and approved by both parties before implementation. We do not silently expand the project.

Resource & Knowledge Continuity

We assign stable, named team members to your project and conduct knowledge transfer so your team can operate the system independently. We do not hand over a black box.

Monitoring & Operational Readiness

Before go-live, we set up monitoring, logging, alerting, and documented escalation procedures. Your operations team receives training and has clear paths to support resources (and to us during the first weeks).

Ready to understand what a real midPoint implementation looks like?

Let’s discuss your identity architecture, timeline, and delivery goals. We’ll walk through the phases relevant to your situation and answer your questions directly.

Schedule an Architecture Discussion

What You Receive: The Tangible Outputs

Every WKI project produces documented, usable deliverables. Your team owns these artifacts and can use them to operate, extend, or migrate the platform independently.

Architecture Documentation

Complete system design, data flows, connector specifications, deployment model, and operational procedures.

Role Model & Governance Policy

Documented roles, attributes, approval workflows, SoD rules, and business logic.

Connector Integration Specifications

Technical specifications for each integrated system, with data mapping, transformation rules, and business logic.

Test Plans & Results

Functional, integration, security, and performance test results with evidence of validation.

Operations & Support Runbooks

Step-by-step procedures for common operations, troubleshooting, escalation, and incident response.

Configuration Repository

Full source control of all midPoint configuration, custom code, and scripts, with change history and documentation.

Knowledge Transfer & Training Materials

Instructor-led training sessions and documentation for your operations and administration teams.

Go-Live Support & Lessons Learned

Post-go-live support logs, issue resolution, and formal recommendations for future enhancements.

Engagement Models: How We Price & Structure Projects

We offer two primary engagement models depending on your scope clarity and appetite for fixed commitments.

Most successful projects blend these models: Discovery and Architecture are typically T&M. Once scope and design are locked, Core Build may be fixed-scope. Testing and Go-Live usually revert to T&M for flexibility.

Want to know how this applies to your situation?

We can discuss the phases relevant to your environment, timeline, and budget in a brief consultation. No obligation.

Request a Consultation

Frequently Asked Questions

How long does a typical midPoint implementation take?

A full implementation typically takes 4–6 months from discovery through go-live, depending on complexity. Organizations with simple directory structures and 3–5 connectors may complete in 3–4 months. Those with complex role models, many legacy integrations, or geographically distributed teams may take 6–9 months.

The timeline breaks down roughly as follows:

  • Discovery & Assessment: 2–4 weeks
  • Architecture & Design: 3–5 weeks
  • Core Build & Integration: 6–10 weeks
  • Testing & UAT: 3–6 weeks
  • Go-Live & Knowledge Transfer: 2–4 weeks

Overlap between phases (parallel work streams) can shorten the total calendar time. Phased rollouts—where you implement connectors or features incrementally—also affect duration.

Can we start with a proof of concept (PoC) before committing to the full implementation?

Yes, many organizations prefer a PoC first. A typical PoC scope might include discovery, a simplified architecture for 1–2 connectors, and a basic midPoint instance in your test environment. This usually takes 4–8 weeks and costs roughly 30–40% of a full implementation.

A PoC serves several purposes:

  • Validates that midPoint meets your technical requirements
  • Lets your team experience the platform and operational model
  • De-risks the full implementation by identifying integration challenges early
  • Provides concrete data for budget and timeline planning of the full project

We can discuss a PoC scope in your initial consultation.

What do we need to provide on our side?

Your core contribution is expertise and decision-making authority from your organization:

  • Stakeholder availability: Key people from IT, HR, security, and operations for discovery, design review, and testing.
  • Business requirements & process documentation: How identities currently flow through your organization (joiner, mover, leaver, role changes, approvals).
  • Access to existing systems: Network access, credentials, and documentation for the systems you want to integrate (AD, HR system, databases, APIs, etc.).
  • Test environment & data: A staging environment where we can build and test the midPoint platform, plus test data (anonymized user records, test account credentials).
  • Approval authority: Clear decision-making channels so we don’t get stuck waiting for approvals.
  • Infrastructure & support: Database, servers, networking, backups, and change control processes to support production deployment.

We provide the midPoint expertise, methodology, and hands-on delivery. You provide domain knowledge, environment access, and decision authority. It is a partnership.

What happens after go-live? Do we need ongoing support?

During the first 2–4 weeks after go-live, we provide on-call support to address any issues that emerge in production. We help troubleshoot, document fixes, and ensure your operations team is confident running the system.

After that initial support window, support options are flexible:

  • Fully independent: Your operations team manages the system, with on-demand consulting available if you hit blockers.
  • Managed support retainer: Fixed monthly support hours for questions, minor enhancements, system monitoring, and proactive optimization.
  • Break-fix consulting: You reach out as needed; we scope and deliver based on hourly rates or fixed packages.

The deliverables and knowledge transfer we provide during the implementation are designed to set your team up for independence. We also document all configurations and decisions so any competent identity engineer can maintain the system.

Can we add or change connectors and features after go-live?

Yes. One of midPoint’s strengths is flexibility and extensibility. After go-live, you can:

  • Add new connectors to integrate additional systems (e.g., add a second HR system, add a specialized database).
  • Modify the role model, governance rules, or approval workflows as business requirements evolve.
  • Extend the platform with custom code, scripts, or connectors for specialized scenarios.

We design the initial architecture to anticipate common additions (e.g., room for 5–10 connectors, scalable role model, well-structured codebase). We also document the architecture and all customizations so future changes are manageable and low-risk.

Many of our clients add connectors or features incrementally in the year following go-live, either with our support or independently with their own teams.

How do you handle integration with systems we can’t easily access or test?

Some systems are difficult to test safely (e.g., production HR systems, highly regulated databases, legacy systems without staging environments). We use several strategies:

  • Connector design review: We design the connector in detail with your subject matter experts before any code is written. This catches issues before implementation.
  • Staged rollout: We build the connector in a test environment, then implement it against a real staging copy of the system, then carefully schedule production activation with your operations team standing by.
  • Documentation & automation: We provide detailed technical documentation, runbooks, and (where possible) automated monitoring and alerting so you and your system owner can validate behavior in production with minimal disruption.
  • Parallel run & rollback: For critical integrations, we run the connector in read-only or shadow mode first to validate behavior before fully activating it.

The key is planning. We discuss integration risk in the architecture phase and adjust timelines and testing strategies accordingly.

What happens if we discover new requirements or change our minds during the project?

Scope changes are normal and expected during large projects. Our approach is to manage them transparently:

  • Document the change: We capture what is changing and why.
  • Assess the impact: We analyze the impact on schedule, effort, and cost.
  • Get approval: We present the change request to your project sponsor for approval and sign-off.
  • Adjust the plan: We update the timeline and deliverables accordingly.

This process keeps surprise cost and schedule overruns from happening. We do not silently expand the project.

That said, the phase-gated methodology is designed to catch many potential requirements early, during architecture and design, before we start building. So by the time we reach core build, scope is usually stable.

What is the total cost of a midPoint implementation with We Know Identity?

Cost depends primarily on:

  • Scope: Number and complexity of connectors, size of role model, custom logic required.
  • Complexity: Simple deployments integrating 3–4 standard connectors cost less than complex environments with many legacy integrations or custom business logic.
  • Your involvement: Organizations that provide timely access, clear requirements, and quick approvals see faster delivery and lower cost.
  • Timeline: Phased implementation over 6 months may have different labor patterns than a compressed 3-month implementation.

A typical small-to-medium implementation (5–7 connectors, defined role model, standard approval workflows) in a T&M engagement runs 1,500–2,500 billable hours over 4–6 months. A fixed-scope phase for Core Build & Integration might be €80k–150k. A full start-to-finish implementation might range from €150k–350k depending on the above factors.

We provide a detailed cost estimate and timeline after the discovery and architecture phases, when scope is clear. There are no surprises.

Do you support phased implementations where we add connectors and features over time?

Yes, and many organizations prefer phased approaches for budget, resource, or risk reasons. A phased implementation might look like:

  • Phase 1 (Months 1–3): Discovery, architecture, and core build of the first 2–3 priority connectors (e.g., AD and HR system).
  • Phase 2 (Months 4–6): Add 2–3 additional connectors (e.g., email, VPN, specialized database).
  • Phase 3 (Months 7–9): Enhance governance, add advanced workflow, integrate additional systems.

Phased implementations spread cost and resource commitment over time. They also let you prove business value early, which helps justify additional phases.

The architecture and design work we do in Phase 1 anticipates the full scope, so adding connectors in later phases does not require rework of the core system.

Let’s Discuss Your midPoint Implementation

Whether you are exploring midPoint for the first time, planning a migration from legacy IAM, or designing a governance and lifecycle automation platform, we can help. Let’s start with a conversation about your environment, goals, and timeline.

Schedule a Discovery Call

Why We Publish This

Many organizations have been burned by identity platform implementations. Timelines slip, costs balloon, and the delivered system is difficult to maintain or extend. We publish this methodology because we believe organizations deserve to know exactly how a serious implementation partner works. You should understand the phases, the deliverables, the roles and responsibilities, and the risks—before you commit. We have nothing to hide.

If this methodology resonates with you, we’d like to talk. If you have questions, we can answer them. And if you choose to work with another partner, we hope this framework helps you hold them accountable to the same standards.

For Decision-Makers

Identity platform projects fail not because the technology is hard, but because delivery is unclear. Undefined scope, rushed testing, and incomplete handoffs lead to budget overruns, extended timelines, and platforms your team cannot maintain. Our five-phase methodology — discovery, architecture, build, testing, go-live — uses explicit phase gates, documented deliverables, and formal acceptance criteria at every step. You know what you are getting, what it costs, and when it will be delivered.