Modernizing Legacy SSO with Microsoft Entra, Protect On-Prem Apps Without Rewriting Code
Source: Dev.to
The Problem
- Legacy platforms (SiteMinder, PingFederate, etc.) are costly to license and support.
- Applications are often hosted on Oracle WebLogic, Tomcat, Apache, JBoss, etc.
- They use HTTP‑header‑based authentication rather than modern protocols (OAuth2, OpenID Connect, SAML).
- Re‑architecting these apps into micro‑services is complex, time‑consuming, and risky.
Key pain points
- High licensing costs for legacy IAM platforms.
- Time‑consuming application rewrites.
A Better Approach
Modernize the identity control plane while preserving the existing authentication contract.
Microsoft Entra Application Proxy with header‑based SSO lets you:
- Migrate authentication to Entra without changing the application code.
- Gradually retire legacy access‑management platforms and avoid expensive renewal cycles.
How It Works
| Step | Description |
|---|---|
| 1. User authentication | Users sign in with Microsoft Entra ID. |
| 2. Claims issuance | Entra issues identity claims (e.g., upn, groups). |
| 3. Header conversion | Application Proxy maps those claims to HTTP headers. |
| 4. Forwarding | Headers are injected and forwarded to the on‑premises app. |
| 5. Legacy app consumption | The app reads the same headers it always expected (e.g., SM_USER=john.doe, SM_ROLE=Admin). |
From the application’s perspective nothing changes.
Typical Integration Steps
- Publish the on‑premises app via Microsoft Entra Application Proxy.
- Enable pre‑authentication with Entra ID.
- Configure header‑based SSO and map identity claims to the required headers.
Note: The exact integration details may vary by platform (WebLogic, Tomcat, JBoss, etc.).
Example Platforms
- WebLogic applications
- Tomcat or JBoss applications
Optional: Header Translation Layer
Some apps expect very specific legacy headers (e.g., SM_USER, SM_ROLE).
You can add a lightweight Servlet Filter that translates modern Entra headers into those legacy names.
// Example WebLogic filter (simplified)
public class EntraHeaderFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// Translate Entra headers to SiteMinder‑compatible ones
String user = request.getHeader("X-ENTRA-USER");
if (user != null) {
request = new HeaderMapRequestWrapper(request);
((HeaderMapRequestWrapper) request).addHeader("SM_USER", user);
}
// Add other translations as needed...
chain.doFilter(request, response);
}
}Register the filter in web.xml:
EntraHeaderFilter
com.example.EntraHeaderFilter
EntraHeaderFilter
/*Managing Group Membership
Legacy apps often rely on group membership, but identity tokens have size limits.
A practical pattern:
- Define a small set of role headers (e.g.,
Admin,Approver,Reviewer). - Assign users/groups to these roles in Entra.
- Pass them as a single header:
X-ENTRA-ROLES=Admin,ApproverSecurity Controls
Header‑based authentication must be tightly controlled:
- Only trusted infrastructure (the Application Proxy) should be allowed to inject authentication headers.
- Recommended controls:
- Restrict backend access to Application Proxy connector IPs.
- Block direct internet access to the application servers.
- Enforce Entra pre‑authentication.
- Enable Conditional Access and MFA.
When implemented correctly, this architecture can improve security posture compared to legacy gateways.
Benefits
| Benefit | Description |
|---|---|
| Cost reduction | Eliminate expensive legacy IAM licenses. |
| Zero code changes | No need to rewrite application logic. |
| Centralized identity | Leverage Microsoft Entra for SSO, MFA, Conditional Access. |
| Simplified infrastructure | Reduce the number of access‑gateway components. |
| Enhanced security | Modern authentication, conditional policies, and reduced attack surface. |
| Fast modernization | Move hundreds of legacy apps to a modern identity ecosystem with minimal risk. |
Closing Thought
Many organizations assume that modernizing identity requires a full rewrite of legacy applications. The fastest, lowest‑risk path is to preserve the existing identity contract while modernizing the authentication layer. By combining Microsoft Entra Application Proxy, header‑based SSO, and optional compatibility filters, enterprises can transition legacy workloads into a modern identity framework without major redevelopment.
If you’re responsible for modernizing enterprise identity architecture, this approach can save years of engineering effort and substantial licensing costs.
Reducing IAM Platform Costs
Save d millions in IAM platform costs.
Upcoming Follow‑Up Article
In the next article, I will walk through the detailed configuration steps for implementing this architecture in enterprise Java environments, covering:
- Configuring WebLogic as a SAML Service Provider with Microsoft Entra
- Implementing servlet‑based request interception for Tomcat and JBoss applications
- Mapping Entra identity claims to legacy header contracts