3 Ways Ping Makes it Easy to Migrate Off a Legacy WAM System

3 Ways Ping Makes it Easy to Migrate Off a Legacy WAM System

February 14, 2019
Saira Guthrie
Product Marketing Manager

Legacy WAM Systems Delay Digital Transformation Efforts
As your enterprise digitally transforms, adding modern applications, APIs and deployment models that stretch far beyond the firewall, the clock is ticking for your legacy WAM system. It was built for on-premises users accessing on-premises applications, not for authorizing access to modern resources like mobile apps, Single Page Apps (SPAs), cloud-based SaaS apps, APIs, and whatever is coming next. The cost to upgrade and maintain the managed chaos of proprietary connections to legacy applications is going up each year as outdated system expertise becomes more scarce and vendors raise end-of-life support fees over time. And ultimately, when your system isn’t built on open standards, coding and maintaining custom, proprietary integrations is an increasing burden on your team, and is not sustainable over time.


Even if you’ve come to the realization that your current system isn’t sustainable, however, updating your identity infrastructure isn’t simple. It requires the expertise, tools and processes to modernize your infrastructure while avoiding disruption. You’ll need the right path forward, one that provides the long-term agility and security that your enterprise requires.


Should You Modernize Your Legacy WAM Solution?
But before looking at the optimal ways to ease your migration challenges, first let’s consider whether it really is time to modernize your legacy WAM solution.

For many identity and access management (IAM) and IT professionals, as well as enterprise architects, the challenges posed by your legacy WAM solution are well known. Assuming you’ve hit the point where these major challenges have driven you to the point of action, how do you decide if modernization is right for your enterprise?


  • Wouldn’t it be easier to just start from scratch in a new system and sweep all those old access policies under the rug?
  • Would application owners really pitch a fit if you changed your access management vendor or told them to rethink and rebuild their access policies?
  • Are you hiding from the legacy skeletons in your closet and worried about addressing the complexity of migrating policies and applications?
  • What options make the most sense for your organization and sanity?

Do you have a lot of legacy systems and apps?


  • YES: Most enterprises have been around a while and have grown through mergers and acquisitions. They have consolidated technologies and amassed a lot of on-premises, legacy system baggage and technical debt over the years. The struggle of managing 100+ legacy, on-premises apps using an outdated legacy IAM solution with a high maintenance cost takes its toll as time wears on.
  • NO: Newer enterprises established after the proliferation of SaaS and cloud-based infrastructure may not have much legacy baggage. It would be a surprise if you even have a legacy WAM system in place. You’re probably safe to push the easy button for now, but if your organization expands to acquire another business that does have legacy systems, good luck integrating those systems and managing access across cloud and on-premises environments.

Do your legacy apps/systems and authorization policies matter, at least for the time being?


  • YES: Most enterprises, even if they plan to deprecate legacy systems eventually, rely on critical legacy and mainframe applications that remain on premises. The authorization policies in your legacy IAM system that govern who gets access to sensitive legacy resources still matter to the business, and cannot be ripped out and and put back on the application owners.
  • NO: If your organization is 100% ready to pull the plug on your legacy WAM system, and you are happy to revert to blunt yes/no access control through a network traffic manager/reverse proxy (e.g., F5, ICSynergy, Akamai, Citrix NetScaler), then go ahead and push the “easy button”…with extreme caution, and be prepared for an extreme amount of custom workarounds for each legacy application connection. PingAccess could have handled those integrations out-of-the box, and you won’t get the added modernization benefit of standards-based access security capabilities that maintain your enterprise’s agility and ease of reconfiguring and re-architecting as you grow.

Are you looking to re-architect legacy systems for modern infrastructure and access?

  • YES: You’ll need a modern access management solution like PingAccess that can handle the hybrid demands of both your legacy baggage and your modern resources, no matter where they are deployed (on-prem, public cloud, private cloud, etc.) and no matter where you want to deploy PingAccess itself (on-prem or in the cloud). A key requirement of modern access management for enterprises is complete deployment freedom and flexibility; this will keep your architecture agile in the future.
  • NO: For some organizations, coexistence might be easier than migration. Keeping an expensive, fragile legacy WAM system to continue governing existing legacy systems while a modern access management solution is put in place to handle modern use cases is easier than tackling the complexity of fully modernizing your infrastructure. The downside is that your legacy system will still require subscription fees and support, which continue to increase over time.

BEWARE: Don’t Be Fooled by the Easy Button
If you’re picturing yourself trapped in a maze, looking for a way to escape, the easy out is just to ignore the complexity of your existing legacy IAM system (assuming that legacy apps will deprecated soon). If you’re considering moving to an IDaaS solution that manages only your cloud-based resources, think again. Some organizations will opt for this route at their own peril, only to circle back and realize that there are other benefits to choosing a solution that is powerful enough to handle both legacy and modern use cases in a centralized way. Modernizing access management is the right decision for the long-term agility and security of your enterprise. You don’t need to sweep your legacy applications and complex authorization policies under the rug because you’re afraid of dealing with them.

PingAccess: Modern Access Management
You’ve probably heard all about modern access management tools like PingAccess by now. PingAccess can be deployed on premises or in the cloud and can use reverse proxy, gateway and/or agent architecture to protect any resource, no matter where it is deployed, giving enterprises ultimate flexibility in deployment options. It can improve employee and partner productivity by enabling faster rollouts of new apps and services. And as an administrator, you’ll enjoy simplified management with the ability to control a wide range of contextual policies from a central admin interface. If you're coming off of a proprietary legacy system, you'll appreciate even more that PingAccess is built on open standards so that you don’t face vendor lock-in in the future. In fact, all of our capabilities across the Ping Intelligent Identity Platform integrate with one another using open standards (e.g., SAML, OAuth 2.0, OpenID, etc.), which means you won’t be locked in with a vendor against your will and your enterprise can stay agile in the future.

Migration and Modernization Challenges
As an identity and access management professional, you probably wish you could magically modernize your legacy WAM system, but in reality you’re concerned with getting various stakeholder groups across your enterprise (e.g., application developers, database administrators, help desk administrators, technical writers, systems integrators, IT operations, etc.) to change their processes and tools that have been built around a legacy WAM system. Not to mention the technological complexity of migrating hundreds of applications and access policies; you’re probably migrating 10-15 years of business decisions about which users can access what resources, and you’re hoping to do it without disruption. It’s a daunting challenge, but luckily Ping Identity has the answer.

3 Ways Ping Makes it Easy to Modernize
At Ping Identity, we’ve seen it all. Having worked with the largest, most complex global enterprises, we know that “rip and replace” is never an option when you’re dealing with a delicate web of proprietary connections between your legacy WAM system and your enterprise’s critical applications, and changing even one thing could upset a fragile IT ecosystem.

Three proven ways to ease your migration challenges are:

  1. using policy migration tools,
  2. leveraging Ping’s Professional Services teams to help plan and guide the way, and
  3. taking advantage of Ping’s world-class partner ecosystem.

1. Policy Migration Tools
Ping’s technology solutions and tools include token translators and policy migration tools to enable coexistence and avoid downtime disruption. If you are currently using common, outdated WAM systems like CA Single Sign-On or Oracle Access Manager, PingAccess Policy Migration (PAPM) is a software tool that consumes a policy export from those systems and helps automate the tedious, error-prone manual process of translating existing legacy access policies into modern PingAccess policies.

Migration Steps with PingAccess Policy Migration
Here are the basic steps to migrating off of a legacy system using PAPM:

  1. Before initiating PAPM, set up PingFederate (PF) and PingAccess (PA) environments and create standard, modern application configurations. You’ll use these as the basis for policy groups.
  2. Use PAPM to consume a policy export file from your legacy WAM system and convert it into PingAccess JSON objects.
  3. Establish read/write connection to PF & PA environment settings via admin API.
  4. Look to your standard PF & PA application configurations to create a set of policy groups to which you will map legacy policies.
  5. Onboard each application, selecting the appropriate policy group for the authentication requirements of that resource.

Useful Beyond Migration
Once you’ve gotten through the process of migrating/translating your policies, PAPM also enables you to test the outcome of a policy before it is live by allowing you to impersonate different logins, test authentication and OIDC flows to applications prior to agent and app configuration, and conduct load testing to measure a policy’s response performance.

Another important capability allows you to automate the promotion of a policy between environments you define (e.g., dev, test, prod), with a side-by-side view of different policy exports so you can easily see what has changed between versions.

And last but not least, even after you’ve successfully coexisted with your legacy system through a seamless migration and you’re ready to sunset it, you can continue making use of PAPM’s monitoring capabilities. This lets you view real-time environment health status indicators for PingFed and PingAccess servers, alerts administrators to issues, and displays indicators for historical/live response times, CPU utilization load, open proxy connections comparisons, available memory usage, sync status, etc.

2. Professional Services
For most of the solutions in Ping’s Intelligent Identity Platform, deciding to buy is one of the very first milestones of a journey to modern access management. Often, our products are not being implemented in green field use cases. Instead, the reality for many of our product implementations is that Ping’s capabilities will be coexisting with or migrated off of another legacy IAM system. Some organizations choose to manage their own migration approach with an internal project team if they have the resources and expertise in-house. Many other organizations choose the approach of bringing in outside experts, and their first stop is often Ping’s own Professional Services team or one of our experienced partners.
Specifically for enterprises looking for a headstart to get a high-speed MVP instance of PingAccess in place, the Professional Services team offers a PingAccess Implementation Accelerator. This is a comprehensive service to deploy a scalable and performant PingAccess with a limited number of environments and applications over a structured amount of time. Once the initial deployment is complete, then additional bespoke services can be defined as needed to help with the ongoing work to fully migrate from the existing platform.

PingAccess Implementation Accelerator - Delivery Approach

In addition to this out-of-the-box, outcome-based professional services package, other organizations that are more proficient and prefer to “drive” have benefitted from modular Advisory Engagements, where our professional services team is engaged to do just one piece, such as architecture and design, or for regularly scheduled Q&A sessions throughout the implementation cycle.

3. World-class Partner Ecosystem
Working with our partners, we’ve successfully enabled dozens of complex enterprises to modernize from a legacy WAM system. For enterprises looking for a flight plan to “de-risk” the transition, one solid option is to enlist expert help. Just one example: KPMG has outlined a proven approach to delivering PingAccess enterprise implementation projects, automating the process and successfully migrating, testing and promoting hundreds of applications into production. And their expertise and approach is proven, even for the most complex enterprises: Jeff Richardson, SVP of IAM for Bank of America, chose to migrate to Ping Identity’s solution working with KPMG to implement PingAccess.  

The Ping Global Partner Network is more robust than you might expect, given the high amount of capabilities and services overlap within identity and access management. Our philosophy is that today’s winning businesses don’t go it alone—playing nicely with other leading companies in both technology and services is part of our DNA with open standards, and this carries over into how we really see partners as the key to serving enterprise customers the best way possible.

Beyond helping you plan, implement and optimize your PingAccess implementation, our professional services team is also a direct line to our extensive partner ecosystem. When your needs exceed the capabilities of our products, our partners are there to make sure no challenge is left unaddressed. Using our partner directory, you’ll likely find implementation and delivery partners who specialize in migrating off of your specific legacy system or integrating with other key technologies you have in place.


Accelerate Your Digital Transformation
You know first hand that legacy identity systems can drag down your enterprise by sapping productivity, increasing management complexity and exhausting your budget. Modernizing your legacy WAM system takes some effort—but the opportunities are well worth the cost. And when you work with partner like Ping Identity, you accelerate your enterprise’s digital transformation. To learn more about how Ping can help you with a modern identity solution, please visit our WAM modernization page for details.