Managing Access to Legacy Web Applications with Okta
7
Authentication (AuthN) versus
Authorization (AuthZ)
Authentication refers to the
binding of a user to an account
using some secure credential, like
a password. Authorization refers
to the enforcement of access
control within the app, and there
are two types, coarse-grained
and fine-grained. Authentication
restrictions, such as allowing
authentication to the application
only for certain groups, are a
common way to implement coarse-
grained authorization. Fine-grained
authorization protects individual
elements (e.g., pages, zones, or
even individual DOM elements)
within the application itself based
on the authenticated user’s
attributes or roles.
Legacy WAM tools can provide
very fine-grained authorization.
They usually do so in proprietary
ways, which makes it costly to
replace a WAM solution in scenarios
where fine-grained authorization
is a requirement. That is, without
replacing the app itself. So Okta’s
recommendation here is to figure
that additional complexity into your
cost analysis when determining if
full WAM replacement is right for
your organization right now.
Decision Process—Step-by-Step
• Does the app already support a modern pattern?
Determine whether the application supports SAML.
Most enterprise-focused web applications have a
built-in SAML capability, but the capability may
need to be enabled, and sometimes an add-on
needs to be purchased. Once the SAML capability is
enabled on the application, use an Okta Application
Network (OAN) pre-built SAML integration to
connect the application rapidly. Okta have over 800
SAML application integrations, but if for some reason
an integration is not available, create your own using
a SAML 2.0 Template App in the OAN. (And make
sure you let us know, so that we can add your app
to the catalog.)
• Can you modernize it? This applies mostly to
custom web applications. If you are able to modify
the application, it’s straightforward to add SAML
or OIDC support to an existing web application.
The implementation varies based on platform and
development language so the Okta Developer site
oers plenty of guidance across the most popular
platforms. Modernizing applications take some time
and eort, but it’s worth it. This approach is low-
cost to maintain, easy to integrate into Okta, simple
to administrate, requires no extra hardware, and it’s
standards-based, which reduces lock-in.
• Do you have a WAM deployed now? You may
already be using a WAM solution like CA Siteminder
or Oracle Access Manager to protect applications
that don’t support modern standards. As we
established above, though, not all WAM models are
alike, and it matters whether you’ve deployed an
agent-based model or a proxy-based model.