Identity, Cloud and the End of Legacy Web Access Management. What Comes Now?

September 12, 2019
Ramnath Krishnamurthi
Founder, LikeMinds Consulting Inc

Legacy identity and access management (IAM) vendors such as Oracle, CA Technologies and IBM have been at the forefront of enterprise technology innovation for decades, with market-leading offerings such as databases and access management products. But as organizations move to the cloud and away from legacy products like web access management (WAM) systems, some of these vendors simply haven’t kept up—especially in the identity space. Older identity products are nearing end-of-life, while others just aren’t built for hybrid deployment across on-premises and cloud-based resources. The whole notion of identity’s future within their identity and access management product portfolio is in flux.


As a result, enterprises are rethinking how they can best update their identity and access management (IAM) approach to coexist or migrate away from legacy IAM technologies. In this article, I take a look at what businesses are doing to transition to modern identity, and some of the tools and technologies they are using in their digital transformation journey.


A Brief Identity Overview: 3 Major Trends

In my 20+ years as an employee of IDM product vendors and as a consultant working with major legacy IAM products, with a focus on Web Access Management (WAM), I’ve seen three major trends that have landed us where we are today. 


One is vendor lock-in. For example, one particular major vendor—which I won’t call out by name—started off as a fantastic database company, and as they acquired a multitude of companies and products, it naturally became ingrained within their mindset that these acquisitions should work with their database. But if you were looking to buy, say, a federated identity product from them, you were also locked into paying for their database license fees.


Two is skyrocketing total cost of ownership. Continuing with the previous vendor example, as a customer, you now not only have their federation product, but you also need to train your employees on other products, such as their database, their application servers, etc. Your total cost of ownership starts to climb rapidly with these proprietary co-dependencies.


And three is a short-sighted cloud strategy. This same WAM-vendor-that-must-not-be named, despite saying they support open standards, has a cloud offering that is still proprietary, a hybrid model that isn’t true IDaaS but is just software deployed in the cloud. (For those familiar with Ping products, it’s like running PingFederate, PingAccess or PingDirectory on AWS—a valid option, but not true “IDaaS” like PingOne.) Customers of legacy WAM vendors like this one are losing the race for the cloud, and now organizations are looking elsewhere for solutions.


Replacing Legacy WAM

Several major legacy WAM systems are effectively end-of-life by now. Support and license fees for older on-premises WAM products have increased, in an attempt to entice adoption of new cloud platforms. Customers who still use on-premises WAM solutions are now paying significantly more for support, and most enterprise software vendors aren't providing a sufficient migration path to move from a legacy on-premises WAM solution to a cloud solution.


Stick with a legacy WAM, however, and you run the risk of increased burdens on in-house staff, higher support fees, limited architecture options and delays on new applications and business initiatives. It’s quite likely you will find yourself in a situation where, if you stay with the legacy WAM products, you may eventually be forced to migrate to your vendor’s proprietary cloud solution, struggling with the day-to-day operations of keeping your products up and running. Most ERP vendors’ newer IDaaS solutions are still immature and can’t handle all of an organization’s existing identity use cases.


What do businesses need to do to get ready?

Given this environment, you run huge risks by sticking with the status quo. Consider your business cases, and then look for more robust identity solutions based on open standards that will work with SaaS products, with a lower total cost of ownership that will lead to a higher return on investment.


Ping Identity is a standards-based vendor with a flexible, hybrid platform that integrates both software and IDaaS capabilities, so you escape vendor lock-in. Ping addresses all of today’s modern and legacy enterprise-wide use cases and equips your IAM infrastructure with agility for future use cases through a strong adherence to open standards.


But what if you want to keep business critical ERP software that relies on legacy WAM?

As I already mentioned, some vendors make their business software portfolio dependent on the vendor’s IAM stack, particularly for single sign-on (SSO), access management, and directory. I’ve seen this challenge over and over, and have built and architected proven ways to break enterprises free from this type of vendor dependency.


As an example, we at Like Minds Consulting have been in partnership with Ping Identity since 2014, helping businesses achieve SSO to Oracle E-Business Suite without relying on Oracle Access Manager. It started with one of our global retail customers, where we leveraged PingFederate for web SSO with Oracle E-Business Suite. Since then, we’ve worked with many other companies to deliver a better user experience without the necessity of paying exorbitant licensing fees.


And now, LikeMinds has just released an updated EBS Integration Kit, which provides a simple deployment path for enterprises using Ping Identity to enable single sign-on to Oracle E-Business Suite.


The EBS Integration Kit

For years, the LikeMinds and Ping SSO integration solution for EBS used to consist of EBS AccessGate, Oracle Internet Directory and Apache Integration Kit. But we’ve recently introduced an improved integration.


The improved EBS Integration Kit eliminates the dependency on any additional components from Oracle (namely, Oracle’s EBS AccessGate and Oracle Internet Directory products) to get to EBS, helping stretch Ping’s SSO capabilities even further.


The kit takes the complexity of the Oracle components out of the equation and offers a simpler way to attain SSO to EBS because it is:


  • Built on open standards. The kit supports SAML and OIDC for the security and scalability of your business-critical Oracle EBS environments.
  • Easy to deploy and run. The kit follows the Ping software-development footprint, taking roughly 30 minutes to deploy and just two days to go live from development to production.
  • Cost-efficient. The kit brings down the cost and complexity into a simple licensing model.
  • Flexible to integrate. The EBS integration kit can work on-premises or in the cloud. The kit provides two integration workflow options: header variable-based SSO that can leverage PingAccess or OpenID Connect (OIDC) token-based SSO.


In addition, this kit’s capabilities extend beyond Oracle EBS; it is transforming into a broader Oracle SSO integration tool. We are excited about the potential it has for additional business use cases and opportunities.


Register for a Webinar to Learn More

Now’s the time for your organization to take a close look at how best to modernize your identity infrastructure. My company, Likeminds Consulting, will be presenting on an upcoming webinar with Ping Identity on November 5, 2019. Join us as we discuss how to architect the impossible: “Modernize Oracle Access Manager While Maintaining SSO to Oracle EBS.” 


Register today! Even if you can’t attend the live event, we’ll send all registrants a recording of the webinar. To learn more about how Ping Identity can help you migrate off of legacy web access management, please visit “Modernizing Oracle IAM.”


LikeMinds Consulting will be at IDENTIFY New York on October 22, join us!