SSO for Legacy Applications

Add Modern SSO to Legacy Enterprise Apps — Without Code Changes

PumaGate's identity-aware reverse proxy adds SAML 2.0 and OIDC Single Sign-On to Oracle EBS, SAP ECC, PeopleSoft, Siebel CRM, HCL Domino, and SharePoint on-premise. No middleware. No vendor lock-in. Deploy in hours.

Start Free Trial
6+
Legacy Apps Supported
0
Lines of Code Changed
90%
Fewer Password Tickets
<4h
Average Deployment
The Challenge

Why Legacy App Authentication Is Broken

Enterprise applications built in the 2000s were never designed for modern identity infrastructure. The result: credential sprawl, security gaps, and a terrible user experience.

Credential Sprawl

Each legacy app has its own user store and password policy. Employees juggle 5-10 different passwords, leading to weak passwords, reuse, and sticky notes on monitors.

No Federation Support

Legacy apps don't support SAML 2.0 or OIDC natively. Direct IdP integration is impossible without expensive middleware like Oracle Access Manager or ADFS.

Orphan Account Risk

When employees leave, their accounts in legacy apps often persist for weeks or months. There's no automatic link between your IdP and legacy app user stores.

Password Reset Burden

Legacy app password resets require specialized admin access (SU01, Security Manager, etc.), making each reset more expensive than standard AD resets.

Audit Trail Gaps

Each legacy app logs authentication events differently. Producing a unified access audit trail across all applications for compliance is a manual, error-prone nightmare.

Expensive Middleware

Traditional SSO solutions for legacy apps (OAM, ADFS, SiteMinder) require significant licensing costs, dedicated infrastructure, and specialized expertise to maintain.

The PumaGate Approach

How PumaGate Adds SSO to Any Legacy App

PumaGate deploys as an identity-aware reverse proxy in front of your legacy application. No code changes, no middleware licensing, no vendor lock-in.

1

Deploy the PumaGate Gateway

Install PumaGate as a lightweight container or VM in front of your legacy application's web server. PumaGate intercepts HTTP traffic and applies identity verification before any request reaches the app.

2

Connect Your Identity Provider

Configure your corporate IdP — Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider. PumaGate handles the full federation handshake.

3

Map User Identities

Define how IdP attributes (email, employee ID, groups) map to legacy app user accounts. PumaGate supports regex, LDAP lookups, and custom attribute transformations.

4

Session Injection

After IdP authentication, PumaGate injects a trusted session into the legacy app using header-based auth, cookie injection, or token-based pass-through. Users land on the app — no second login.

5

Enforce, Audit, Comply

Apply MFA policies, enable session recording, generate compliance reports, and get a unified audit trail across all legacy and modern applications.

Supported Applications

Legacy Enterprise Apps We SSO-Enable

Click any application to see the detailed SSO integration guide, architecture diagrams, and FAQ.

Oracle E-Business Suite

ERP

Eliminate password sprawl and enforce centralized identity for Oracle EBS with PumaGate's reverse-proxy SSO. No Oracle customization required.

SAML 2.0 & OIDC SSO for Oracle EBS R11, R12, and Cloud Header-based and cookie-based session injection Automatic FND_USER to IdP identity mapping
View SSO Guide

SAP ECC

ERP

Unify SAP ECC authentication with your corporate IdP. PumaGate adds SAML/OIDC SSO to SAP GUI and SAP Web interfaces without modifying the SAP stack.

SAML 2.0 & OIDC SSO for SAP ECC web interfaces SAP Logon Ticket (MYSAPSSO2) injection SAP Web Dispatcher and ICM integration
View SSO Guide

HCL Domino (Lotus Notes)

Collaboration

Add modern SAML/OIDC SSO to HCL Domino web applications without modifying NSF databases or Domino server configuration.

SAML 2.0 & OIDC SSO for all Domino web applications LtpaToken and Domino session cookie injection iNotes and Domino Web Access SSO
View SSO Guide

SharePoint Server (On-Premise)

Content Management

Replace ADFS complexity with PumaGate's modern SSO for SharePoint Server on-premise. Support Okta, Google Workspace, and any IdP — not just Active Directory.

SAML 2.0 & OIDC SSO for SharePoint on-premise Windows Authentication header injection Claims-based authentication support
View SSO Guide

PeopleSoft

HR / Finance

Add SAML/OIDC SSO to PeopleSoft without PeopleSoft PIA changes. Eliminate WebLogic SAML complexity and replace Oracle Access Manager.

SAML 2.0 & OIDC SSO for PeopleSoft PIA PS_TOKEN cookie injection for transparent SSO Classic UI and Fluid UI SSO support
View SSO Guide

Siebel CRM

CRM

Add modern SAML/OIDC SSO to Siebel CRM Open UI and legacy High Interactivity mode. No Siebel Tools changes, no Oracle Access Manager required.

SAML 2.0 & OIDC SSO for Siebel Open UI Legacy Siebel High Interactivity (HI) mode SSO Siebel Mobile and Siebel Mobile Disconnected SSO
View SSO Guide

IBM WebSphere

Application Server

Protect IBM WebSphere applications with SAML/OIDC SSO via PumaGate's reverse-proxy gateway. No WebSphere security domain or TAI modifications required.

SAML 2.0 & OIDC SSO for all WebSphere-hosted applications LTPA token (LtpaToken2) generation and injection IBM HTTP Server (IHS) and Liberty transport support
View SSO Guide

Oracle WebLogic

Application Server

Protect Oracle WebLogic applications with SAML/OIDC SSO using PumaGate's reverse-proxy gateway. No WebLogic security provider changes or application modifications required.

SAML 2.0 & OIDC SSO for all WebLogic-hosted applications HTTP header-based identity assertion Oracle HTTP Server (OHS) and built-in listener support
View SSO Guide

SAP NetWeaver Portal

Portal

Protect SAP NetWeaver Portal with SAML/OIDC SSO using PumaGate's reverse-proxy gateway. No SAP UME modifications or Java stack changes required.

SAML 2.0 & OIDC SSO for SAP NetWeaver Portal SAP Logon Ticket (MYSAPSSO2) injection iView and Web Dynpro SSO pass-through
View SSO Guide

JD Edwards EnterpriseOne

ERP

Protect JD Edwards EnterpriseOne with SAML/OIDC SSO using PumaGate's reverse-proxy gateway. No JDE server code modifications or CNC configuration required.

SAML 2.0 & OIDC SSO for JDE EnterpriseOne HTML Client JDE AIS Server authentication integration HTTP header-based identity injection
View SSO Guide

Microsoft Dynamics AX

ERP

Protect Microsoft Dynamics AX with SAML/OIDC SSO using PumaGate's reverse-proxy gateway. No AOS configuration changes or X++ modifications required.

SAML 2.0 & OIDC SSO for Dynamics AX Enterprise Portal Dynamics AX 2012 R3 web client SSO AIF web service endpoint protection
View SSO Guide

Sage X3

ERP

Protect Sage X3 with SAML/OIDC SSO using PumaGate's reverse-proxy gateway. No Sage X3 application server modifications or custom development required.

SAML 2.0 & OIDC SSO for Sage X3 web client Syracuse web server session integration HTTP header-based identity injection
View SSO Guide
Business Impact

Why Enterprises Choose PumaGate for Legacy SSO

PumaGate delivers measurable business value from day one — reducing costs, improving security, and eliminating compliance gaps across your entire legacy portfolio.

Replace Expensive Middleware

Eliminate Oracle Access Manager, ADFS, and CA SiteMinder licensing costs. PumaGate provides SSO for all your legacy apps at a fraction of the cost.

Deploy in Hours, Not Months

Traditional SSO middleware takes 3-6 months to deploy. PumaGate is production-ready in hours — a reverse proxy deployment, not a platform migration.

Zero Code Risk

PumaGate works at the HTTP layer — no modifications to legacy application code, databases, or middleware. Zero risk to decades of business logic.

Any IdP, Any App

Use Okta, Azure AD, Google Workspace, Ping Identity, OneLogin, or any SAML/OIDC provider. One PumaGate deployment covers all your legacy applications.

Unified Compliance

Every legacy app access event appears in one audit trail — with IdP context, MFA status, device info, and optional session recording.

Instant Deprovisioning

Disable a user in your IdP and access to all legacy apps stops immediately. No orphan accounts, no lingering sessions, no manual cleanup.

Comparison

PumaGate vs. Traditional SSO Middleware

See how PumaGate compares to legacy SSO solutions like Oracle Access Manager, ADFS, and CA SiteMinder.

Capability PumaGate Oracle Access Manager ADFS / WAP
Deployment Time Hours 3-6 months 2-4 weeks
Code Changes Required None WebGate agents Claims providers
Multi-IdP Support Any SAML/OIDC Oracle IdP preferred AD only
Session Recording Built-in Not available Not available
Additional Licensing All-inclusive Per-user licensing Included with Windows
Legacy App Coverage Any HTTP app Oracle apps only SharePoint, Exchange
MFA Enforcement Via any IdP MFA OAM adaptive Azure MFA
Unified Audit Trail All apps in one log Oracle apps only Microsoft apps only

We had Oracle EBS, SAP ECC, and PeopleSoft — all with separate passwords. Our help desk was drowning in password reset tickets. PumaGate unified authentication across all three in under a week, and password-related tickets dropped by 88% in the first month. The ROI was immediate.

Director of IT Infrastructure
Fortune 500 Manufacturing Company

We've Integrated SSO with Legacy Apps Before. Let Us Help.

Deploy PumaGate in hours — not months. No code changes required. No vendor lock-in. Start your 14-day free trial today.

Start Free Trial View Pricing