Authentication Options: Migrating from WAM to Modern Access

April 11, 2016

Over the past couple of weeks in this blog series, we've discussed how traditional identity and access management (IAM) systems can't solve today's business needs. We've also reviewed how seamlessly you can migrate to a modern access management solution from your legacy WAM technology, such as CA Single Sign-On and Oracle Access Manager. This week, we'll explore the technical strategies for authentication when planning a migration.


The process of migrating from CA or Oracle to the Ping Identity Federated Access Management (FAM) solution isn't very complex. However, there's one strategic technical decision that must be made during the planning cycle that'll directly impact the user experience during migration: the authentication system of record. Providing a single sign-on (SSO) experience is critical to shield the end user from the complexities of separate security systems.


Most migrations would require the user to authenticate separately for each security system, but our FAM solution provides SSO across both systems during the migration. In order for the migration experience to be ideal, the authentication system of record must be determined very early in the migration process, which is why it's such an important and strategic technical decision to make during the planning cycle.


There are two main options for the authentication system: PingFederate® or a legacy WAM system. As an example, let's compare PingFederate to CA Single Sign-On. The authentication system is responsible for authenticating the user against the directory or identity store. Rather than having both CA Single Sign-On and PingFederate authenticate users against a single identity store, one system should be selected to authenticate the user. Here's a look at the two options:


Option 1: Select PingFederate as the system of authentication at the beginning of the migration process. The drawback to this option is that the end user must authenticate with PingFederate before they can access an application protected by CA Single Sign-On. This might not be preferred due to a potential change in experience.




Option 2: Continue using CA Single Sign-On as the primary authentication service. This option delays the migration of authentication policies until the very end of the migration process, but it has less impact on user experience and application teams. It involves steps to integrate PingFederate with CA Single Sign-On to honor and validate CA's identity tokens.


Regardless of which authentication method you choose, it's important to keep the user experience in mind. The migration from one identity security system to another should be transparent to the end user.


Our FAM solution is the only identity security solution that enables this seamless migration. End users won't know the difference, but IT will be able to securely leverage infrastructure as a service (IaaS), apply the same security policies to web and API resources, and easily share applications with customers and partners.


To learn more about the technical details of migration, check out our white paper and watch our webinar to see a demo of our FAM solution. During the webinar, we discuss top IT trends, the necessity of an Identity Defined Security approach to support them, and tips for migrating off CA and Oracle.