Logo / Docs

Migrate From Userfront

Overview

With the upcoming shutdown of the Userfront identity service, FusionAuth has partnered with Userfront to provide Userfront customers a new home and a smooth transition. This guide walks you through the steps required to migrate your application from Userfront to FusionAuth.

Prerequisites

Before you begin, contact Userfront to share your data with FusionAuth. This allows FusionAuth to migrate your data from Userfront.

Verify FusionAuth

The first step is to verify that FusionAuth is the right solution for your application. There are two ways you can test FusionAuth to ensure it meets your requirements:

  1. Follow our Getting Started guide to run FusionAuth locally and test it with your application.
  2. Contact FusionAuth sales to set up a test environment in FusionAuth Cloud and work with our Solution Engineering team to answer any questions you might have. They can also help with design and troubleshooting.

Key Differences

There are a number of key differences between Userfront and FusionAuth to keep in mind during the verification process.

  • FusionAuth is a standards based CIAM platform that implements the OAuth, OpenID Connect, and SAML standards; Userfront is an bespoke identity service that primarily leverages custom APIs to perform authentication.
  • While FusionAuth provides a custom authentication API, using the OAuth, OpenID Connect, or SAML standards is recommended.
  • FusionAuth SDKs leverage a standard-based approach to authentication via OpenID Connect.
  • Translating between the Userfront SDKs and FusionAuth SDKs will require some additional work to implement OpenID Connect properly in your application.
  • FusionAuth’s support for MFA is different than Userfront’s, which is tied to a user or required for all users. FusionAuth offers the same methods, but with more granularity around when the MFA challenge occurs.
  • FusionAuth supports SAML directly as both a Service Provider (SP) and Identity Provider (IdP) following the SAML specification. Converting from Userfront’s SAML implementation to FusionAuth’s implementation may require different configuration and integration.
  • FusionAuth roles are not scoped to a Tenant. Rather they are scoped to an Application, which can exist in a Tenant or be defined as a Universal Application.

Limitations

Here are some limitations to consider when switching your application from Userfront to FusionAuth:

  • FusionAuth does not support Tenant hierarchies but does support multi-tenancy.
  • The Userfront SDKs will not work with FusionAuth.
  • The FusionAuth SDKs are not a drop in replacement for the Userfront SDKs.

Implementation

This guide doesn’t provide a step-by-step guide to migrate your application from Userfront to FusionAuth due to the wide variety of possible integrations and configurations. However, the general migration process will be to convert your application from an embedded login component to use FusionAuth’s OpenID Connect workflow (which is built on top of OAuth).

If you aren’t familiar, OAuth is a standard that uses browser redirects to handle everything from registration and login to MFA and Single Sign-on. FusionAuth implements OAuth directly and our SDKs also integrate with OAuth as well.

As an example, Userfront’s React SDK provides an embedded <LoginForm> component that calls the Userfront APIs directly. FusionAuth’s React SDK instead uses a startLogin() function that handles the redirect to FusionAuth’s OAuth workflow. To convert from an embedded login form to OAuth, you’ll need to rework your application appropriately.

If you are concerned about switching from an embedded login page to OAuth, OAuth is a well-defined standard that has been through rigorous review and testing for over a decade. It is now considered the most secure and consistent way to implement authentication. It prevents attacks such as XSS, cookie stealing, URL hijecking, token hijacking, and many more. In addition, FusionAuth has over 7 years of rigorous security audits, penetration tests, bug bounties, and security reviews of our OAuth implementation. You can rest assured that FusionAuth’s OAuth implementation is secure and reliable.

Migration Steps

Once you have confirmed that FusionAuth meets your needs, you will need to contact FusionAuth Support to gain access to the Userfront migration script or to request data imports into your FusionAuth Cloud environment.

If you self-host FusionAuth, ask Userfront to allowlist the IP address of the machine where you plan to run the migration script. Once added to the allowlist, use the migration script to import Userfront user data into your FusionAuth instance. Allowlisting is required by Userfront for security.

If you are using FusionAuth Cloud, the FusionAuth Support team will work with you to import your data into your FusionAuth Cloud environment. This can be scheduled to coincide with the timing of when your application will convert to FusionAuth as well.