Benefits of Migrating from Web Access Management (WAM)

The proliferation of applications like Salesforce, Zoom, and Slack has enabled organizations to better serve their employees and customers while accelerating their cloud adoption. However, many companies adopting the cloud will still keep some of their mission-critical applications hosted on-premises, creating hybrid IT environments that require consistent security, identity, and access control.

cloud and on premise applications

*RightScale 2019 State of the Cloud Report

To address this challenge, many organizations rely on legacy Single Sign-On (SSO) solutions hosted on-premises – also known as Web Access Management (WAM), that are not built for cloud scale and to deliver unified access across the Hybrid IT. Enterprises can instead rely on the Okta Identity Cloud platform and Okta Access Gateway to support their Hybrid IT access.

Hidden cost of WAM

When evaluating the right identity management solution, organizations must assess the full costs to purchase, deploy and maintain the technology over its lifecycle, a calculation typically captured by total cost of ownership (TCO). For many on-premises identity management services, the TCO often goes beyond the upfront licensing costs. For example, licensing costs for legacy WAM solutions typically represents less than five percent of the TCO. Instead, recurring costs for legacy WAM place significant expenses and efforts on businesses, especially as continuous patching, upgrades, and innovation are required over time. These additional costs typically fall into four main categories:



Let’s dive deeper into each of the above cost categories for legacy WAM solutions.

Infrastructure requirements

Legacy WAM solutions require a wide array of complex hardware and servers, including databases and middleware services to support SSO, enforce policies, store credentials, and more. In addition, these deployments often require expensive subscriptions to third party software that needs to be installed, maintained and patched on a regular basis on top of the underlying hardware.

WAM hardware requirements vary based on the number of infrastructure environments (i.e. QA, production, etc.), types of on-premises web applications being protected, and the number of users accessing each web application. Typically, legacy WAM requires at least 15 servers. That number can quickly double or increase even more in organizations that demand robust features like development and test environments, global deployments and those that understand the importance of having an always-on, reliable service with high availability, load balancing, and disaster recovery.

Legacy WAM

In contrast, Okta Access Gateway requires a minimal infrastructure to protect on-premises web apps. Combined with Okta SSO for cloud apps, the need for multiple servers and multi-tier infrastructure is reduced by up to 90%.

Migrating from WAM

Administration and support

Another major cost category organizations often overlook are in administration and support. This category is broken into three cost areas:

Vendor support fees

On WAM solutions, vendor support fees are anywhere from 20% of the initial license cost and up. Additionally, these perpetual fees don’t change based on your actual usage. So even if on-premises web applications usage drops due to reasons including modernization efforts, the support fee is owed in perpetuity.

IT Operations

Operational costs on WAM solutions are associated with the number of full-time employees (FTEs) required to maintain the solution up and running securely. Organizations typically hire two to three full-time specialists or more depending on the deployment complexity and the variety of skills required for maintaining the WAM database, middleware, network, and supporting servers. Due to the WAM complexity, infrastructure specialists are in short supply and demand high compensation rates. For service operations, this often raises questions, “Should we employ and train our IT to maintain and patch proprietary WAM servers? Should we instead enable our high-paid resources in new skills, such as enabling access to the cloud, adopt modern standards, and supporting our Hybrid IT at scale?”

Helpdesk Support

Helpdesk operations are yet another significant cost area related to WAM maintenance. WAM solutions lack seamless self-service user interfaces and mobile access natively available in modern access management solutions. The increase in helpdesk tickets that result from poor user interfaces quickly add up, becoming increasingly costly for organizations.

Okta Access Gateway minimizes total helpdesk calls and users’ frustrations for password resets by granting quick and seamless access to business-critical applications.

password resets stats

Application integrations

WAM solutions don’t offer preconfigured integrations for the most of the applications they protect. As a result, enterprises must invest heavily in consulting services, developers, or IT specialists to manually integrate apps with their WAM infrastructure. As organizations continue to adopt more cloud apps—leveraging out of the box integrations is table stakes. Unfortunately, integrating WAM and cloud solutions is expensive and difficult due to the lack of preconfigured app catalogs and integration wizards.

WAM solutions

These WAM capability gaps can add days to weeks of integration efforts and costs, requiring organizations to engage with SaaS and SAML integration specialists. Due to the legacy and proprietary nature of WAM solutions, the integration costs and challenges are expanded to any modern resource: from SaaS, to mobile, to modern custom applications.

To avoid integration challenges, some enterprises invest in multiple access management providers to manage SSO for cloud, mobile SSO, and on-premises SSO, and Multi-Factor Authentication (MFA) creating identity siloes. This redundant approach increases operational costs and burdens, increases the threat surface, and frustrates users with inconsistent experiences.

Using Access Gateway with Okta SSO to consolidate access for all applications removes the identity silos, enhances operational efficiency, and creates a consistent experience for all end-users.

access on premises and cloud apps

Patches, upgrades, and outages

Legacy WAM solutions require continuous maintenance, testing, and patching for every single component across multiple servers and environments. These activities can take several weeks of planning and execution. Most organizations will carry four or more patches in a year, exhausting key resources. Patching also requires taking systems offline. In today’s always-on business environment, outages can cause massive work disruptions and revenue losses even if they are after hours or on weekends. To avoid such outages, organizations may delay or skip patches, an unwise but common misstep increasing their security risk.

WAM vendors recommend system-wide upgrades every two to three years. These upgrades are extremely costly and can take several months to over a year to fully deploy. They also often need consultants or professional services, adding to in-house developer and IT admin efforts for internal implementation and testing. Consequently, these upgrades can easily add up to a multiple of the initial WAM license and implementation costs on a recurring basis, comprising over 30% of the TCO for WAM.

WAM upgrades

Benefits of Okta Access Gateway and Okta SSO

Modernizing from legacy WAM to Okta Access Gateway and Okta SSO delivers:

Benefits of Okta Access Gateway and Okta SSO

Significantly Lower TCO

The overall cost for Okta is dramatically lower than WAM for a variety of reasons. Its reduction in infrastructure footprint and complexity reduce hardware and maintenance costs. Okta’s centralized console reduces IT administration friction, boosts efficiencies, and simplifies user access management and SSO policies for all enterprise cloud applications, on-premises web applications, and mobile apps. Unlike the complex and multiple layers of hidden costs with WAM solutions, Okta licensing costs are transparent and predictable with no perpetual hidden costs, making budgeting easier for organizations.

Okta further reduces costs while accelerating application rollouts with over 6,000 pre-configured integrations. This includes native integrations for the most popular cloud apps – from Office 365, to Salesforce, to Slack, to Amazon Web Services – as well as complex on-premises web applications, such as Oracle eBusiness Suite, Peoplesoft, JD Edwards, SharePoint, and Qlik. Okta also provides integration wizards to facilitate connecting to apps that do not have pre-built connectors and on-premises integration patterns to make it easy to integrate with web applications without changing any backend source code.

Okta also takes the worry out of patching and upgrade outages, while delivering continuous releases and innovation. As a cloud service, Okta transparently manages all patching and upgrade efforts for the cloud components – Okta SSO and MFA – without any impact on a large organization’s users. Patching for Okta Access Gateway is fast, seamless, low cost and low effort. Organizations can easily keep their environment secure with the proactive security upgrades and standards from Okta.

legacy on premises IAM solutions

Seamless, unified user experience

Collapsing the WAM infrastructure and moving to Okta gives users consistent sign-on experiences to all their apps, whether in the cloud, mobile, or on-premises. Optimizing the end-user experience increases productivity from day zero. Okta Access Gateway also increases scalability with rapid and simple service upgrades. That reduces outages that can be frequent occurrences in WAM environments.

unified user experience

Enhanced security posture

Okta delivers best-in-class security using ThreatInsights, Adaptive MFA and Passwordless access. It enhances enterprise security with robust and unified access management, as well as native support for modern multi-factor authentication (MFA). The ability to view and manage all access management policies from a central administration console gives visibility to enhance an organization’s security posture. Okta’s build from the ground up approach simplifies upgrades and patching compared to WAM, while strengthening the protection of on-premises web applications.

Enhanced security posture

Accelerate IT modernization

Okta Access Gateway does not change on-premises app source code, which offers enterprises a clear on-ramp to modernization. Organizations with hybrid environments can retire legacy solutions at their own pace. As companies adopt more best-in-breed cloud apps, Okta scales to deliver unified, secure, and modern access experiences across users and devices.

To learn more about how migrating from WAM to Okta Access Gateway can lower your total cost of ownership, increase operational efficiency, enhance security postures, and accelerate IT modernization creating friendly end-user experiences, visit

About Okta

Okta is the leading provider of identity for the enterprise. The Okta Identity Cloud connects and protects employees of many of the world’s largest enterprises. It also securely connects enterprises to their partners, suppliers and customers. With deep integrations to over 6,000 apps, the Okta Identity Cloud enables simple and secure access from any device. Thousands of customers, including Experian, 20th Century Fox, LinkedIn, Flex, News Corp, Dish Networks and Adobe trust Okta to work faster, boost revenue and stay secure. Okta helps customers fulfill their missions faster by making it safe and easy to use the technologies they need to do their most significant work. For more information, visit us at or follow us on