De-risking Migration from your Legacy WAM

July 2, 2018
Andrew Goodman
Sr. Product Marketing Manager

Web access management (WAM) has been around for roughly 20 years, a lifetime in the computing world. Nascent systems solved the critical issue of allowing smooth access to web-based applications, while WAM solutions in their prime securely ensured that the appropriate users could safely and easily get to their required applications.

But today’s enterprise users increasingly need access to cloud, API and mobile applications instead of solely on-premises resources—and WAM simply has not kept pace.


Web access management may not be dead yet, but there are clear signs that it’s sucking in its last, labored breaths. And in its place, we’re seeing a shift to a modern access solution that provides the security you need for today’s requirements and much more.


As your enterprise undergoes the transformation to identity-driven productivity, the prospect of migration may seem daunting. But you can ease that process with a new tool, PingAccess Policy Migration (PAPM). Designed to facilitate migration from legacy WAM systems, including CA Siteminder (CA SSO) and Oracle Access Manager, PAPM removes the burdensome and error-prone processes involved in manually migrating policies to PingAccess.


Here’s a look at why now is the time to move to a modern identity solution, how you can avoid common pitfalls while doing so, and how best to accelerate and de-risk migration from your legacy WAM system.


Legacy WAM Migration Hurdles

As an identity and access management (IAM) professional, you’re well aware of WAM’s limitations. It’s extremely difficult if not downright impossible to move your applications to a private or public cloud. Protecting APIs and mobile apps is also a challenge. Add in excessive costs to upgrade and scale and little support for open standards, and you’re left with an unjustified total cost of ownership for a system that doesn’t meet your needs in today’s environment.


But you’re also aware that you’ll need to overcome a number of hurdles in order to modernize:


  • Sheer volume of applications. In many cases, hundreds of applications have been added to your legacy WAM solution over the past two decades. This means hundreds if not thousands of policies need to be migrated from your legacy WAM system to PingAccess.
  • Implementing modern access security. Likely, each app owner has decided on the authentication and authorization flows that make most sense for their app, based on the capabilities and limitations of the existing system. They will need to rethink how to best implement workflows in a modern system which offers increased flexibility and options for customization.
  • Helpdesk documentation. Your helpdesk is trained to troubleshoot applications based on documentation written specifically for how the legacy WAM solution works in your environment, so a shift from WAM requires new application- and integration-specific documentation.
  • Additional hurdles. Your people, processes and technology are aligned to your legacy investments, so you will need to unwind years of legacy IAM.


Sound like a big challenge? Fortunately, you can overcome these concerns and improve productivity and engagement without disrupting core processes. By following some best practices and using tools such as PAPM, you further your enterprise’s mobile, cloud or API initiatives as you modernize your IAM infrastructure.


Best Practices for Avoiding Migration Pitfalls

During each phase of your migration, you can lower the risk of running into snags as you facilitate the transfer of applications without disrupting end users.


Phase 1: Planning:

Begin by surveying your deployment so that you understand the different WAM pieces in play. Ask yourself:


  • Does the system have agents installed on web servers that sit adjacent to each application, or is some other configuration in place?
  • What does the inventory of applications look like, and what realms, rules and rule groups will be migrated?
  • What policies exist and what are the protected resources, rules and access control lists, and authentication requirements used to protect resources?
  • Does it make sense to migrate authentication at the beginning of the migration process, or does it make more sense to do so at the end?
  • How do sessions integrate, and will end users be unnecessarily prompted to authenticate?


Armed with this knowledge, you are then ready to move on to the next step.


Phase 2: Initial Deployment and Integration

Initial deployment starts with the installation and configuration of PingAccess so that you can integrate it with your existing WAM system. Depending upon the legacy system, you may have multiple options for how this integration should best proceed, and we recommend you take a look at the appropriate migration guide:



In addition, you will want to make sure PingAccess is integrated into any existing monitoring, auditing and reporting tools available in the enterprise.


Phase 3: Application Migration

Best practices dictate that you kick off the actual migration with a simple, low-risk app to test the process and reduce future risk. Typically, you will want to migrate legacy access management objects and access control policies required to protect the application, and then integrate PingAccess with the application.


After ensuring that the required integrations are complete and that PingAccess can provide the necessary identity information to the application, you will create the PingAccess rules that enforce access in the same way that your WAM system enforces access. Finally, select the architecturally appropriate deployment option for your particular set up.

Once you have migrated your basic applications, we recommend you migrate low-complexity, low-risk apps before moving on to remaining medium- or high-complexity applications, followed by the migrations of customizations and complex authentication schemes.


Phase 4: Final Migration

Ping’s final recommendations include removing any remaining WAM dependencies. By shifting access responsibilities to PingAccess, your enterprise will benefit from lighter integrations and next-gen access management features.


PingAccess Policy Migration

Completing the migration phases outlined above is greatly enhanced when you have the right tools. To aid in the third phase, application migration, we have just released the PingAccess Policy Migration tool, which eliminates the need to manually migrate hundreds of policies from your legacy WAM system to PingAccess.


Consider a typical migration from a product like CA SiteMinder (CA SSO). Without an automated policy migration toolset, you would need to log onto each console and click through many pages to view all the rules, policies and mappings which make up a single application, only to discover that these components are highly specific to your legacy system and that its constructs are different from those of PingAccess.


Modernizing from a legacy WAM system to PingAccess provides many benefits, and PingAccess Policy Migration can help you take the risks out of the migration process. Read the solution brief to learn more about PingAccess Policy Migration.