Beanstalk connecting to cloud identity providers
Desktop authentication broker · COM automation · OIDC/PKCE

Your legacy applications.
Now with enterprise sign-on.

Beanstalk gives older desktop, ERP, and client/server applications the same SSO and MFA your cloud platforms already use — without replacing the software, modifying source code, or running a months-long migration project.

If your business relies on applications that were built before modern identity management existed, and compliance, IT policy, or plain good security hygiene now demands centralised sign-on, Beanstalk is the practical bridge.

No source code required 10 IdP types supported On-premises or cloud Fast to deploy
Order or Inquire See how it works
Keep the application
Add enterprise authentication to software that can't be replaced quickly. No rewrite. No code changes.
Use the IdP you have
Works with Entra, Google, Okta, Auth0, ADFS, OCI, AWS, Keycloak, PingOne and OneLogin environments.
Ship it in days
COM automation means integration is an afternoon, not a project. Admins keep full policy and audit control.
Decades
of investment in line-of-business applications that still run core operations, but were built before SSO or MFA existed.
$0
in changes required to the legacy application or to your existing identity provider. Beanstalk sits in between.
One day
typical integration time for a new application. Not a quarter. Not a migration budget. A day.

The gap between old software and modern security policy.

The people who need to implement it and the people who need to approve it care about different things. Here is what Beanstalk means to each of them.

For the IT team integrating it

  • Beanstalk exposes a COM Automation interface. Any application that can call an external COM server — Delphi, C++, VBA, older .NET, PowerBuilder — can use it with a few lines of code.
  • No changes on the identity provider side. No custom application registration beyond what standard OIDC requires.
  • Full PKCE flow with OIDC discovery. The browser handles the actual authentication; Beanstalk handles the token exchange.
  • The calling application chooses the provider and tenant for each sign-in, so one installation can serve different environments without separate builds.
  • Produces a verified identity result the calling application can trust, without storing credentials anywhere near legacy code.

For the manager approving it

  • The alternative is a platform replacement project measured in months and six figures. Beanstalk is a fraction of that cost with a fraction of the risk.
  • Authentication policy stays centralised in the identity platform you already govern, audit, and pay for. Beanstalk does not introduce a new policy layer.
  • Satisfies MFA and SSO requirements for applications that would otherwise fail a security review or compliance audit.
  • Per-seat perpetual licence. No per-user subscription tiers, no annual renewal pressure, no platform lock-in.
  • Extends the useful life of proven, stable software while bringing it in line with the rest of your security posture.

What actually happens.

From the user's perspective, they click sign in and a browser window appears — familiar, fast, identical to every other SSO login they do. From IT's perspective, the flow is auditable and the credentials never touch the legacy application.

1
The legacy application calls Beanstalk
The application makes a single COM call with the environment and any context it needs to pass through. It then waits. Nothing else changes in the application.
2
Beanstalk opens the browser and handles the IdP flow
Beanstalk opens the user's default browser with a standard OIDC authorisation request to your configured identity provider. The user authenticates — including MFA if your policy requires it — exactly as they do for any other application in your environment. Beanstalk receives the token via a local callback; the browser closes.
3
The identity result is returned to the application
Beanstalk returns verified identity information — user principal, domain, groups or claims — to the calling application via the COM interface. The application decides what to do with it. IT retains the sign-in audit trail in the identity platform they already use.

Works with the identity providers your business already uses.

No new infrastructure to introduce to your security team. No separate identity silo for legacy applications.

Microsoft Entra ID Google / Workspace Okta Auth0 ADFS Oracle IDCS / OCI Amazon Cognito Keycloak PingOne OneLogin-compatible

The practical details.

Beanstalk is intentionally narrow in scope. It does one thing well — brokering authentication between legacy Windows applications and modern identity providers — and stays out of the way of everything else.

What Beanstalk provides

  • COM Automation server interface — callable from any language that supports COM.
  • Full OIDC/PKCE authorisation code flow with JWKS-verified tokens.
  • Per-call provider and tenant selection, so a single installed instance can serve multiple environments.
  • Returns the verified principal (UPN / preferred_username) plus available claims, which the application maps to its own user records and roles.
  • OIDC discovery and signing keys (JWKS) are cached, so sign-ins start without re-fetching provider metadata each time.
  • Trial and licensing management built in — no separate licence server infrastructure needed in most deployments.

What it does not need

  • No changes to the legacy application's source code — only an added call to the COM interface.
  • No changes to the identity provider — standard OIDC application registration is sufficient.
  • No new server infrastructure in most cases — Beanstalk runs on the desktop alongside the application it serves.
  • No agent on the domain controller or active directory server.
  • No inbound firewall rules — all connections are outbound from the user's machine to the IdP and (if used) to the licensing service.

Designed for controlled environments

Beanstalk is built for organisations that still operate core business processes on Windows desktop applications, client/server ERP, terminal emulation, or specialist line-of-business software — and need authentication to align with modern identity policy without disrupting that operational foundation.

  • Per-machine installation with group policy-friendly deployment.
  • Works alongside standard Windows deployment tooling — no custom infrastructure.
  • Trial period available for evaluation in your environment against your identity provider, before any licensing commitment.
  • Integration support available for specific legacy application and IdP combinations.
Common use cases

A finance or operations team that relies on a Windows ERP or bespoke application that predates cloud identity, but must now meet MFA requirements imposed by cyber insurance or a security audit.

A managed service provider deploying the same customer application across multiple tenants with different identity providers, needing per-tenant IdP configuration without maintaining separate builds.

Per-seat perpetual licence

A single licence covers one machine, permanently. No annual renewal, no per-user tier, no platform subscription. The licence travels with the application deployment, not with individual users.

Machine transfers are supported — if a user moves to a new workstation, the licence can be transferred to the new machine. Volume licensing is available for larger rollouts.

What the licence includes

  • All identity provider types supported in the current major version.
  • Updates within the licensed major version.
  • Integration guidance for supported identity and legacy application scenarios.
  • No source-code rights unless explicitly agreed separately.
Pricing reflects the practical scope of the component — not a platform replacement budget. Contact us for volume and multi-environment pricing.
Common legacy authentication problems

If one of these sounds familiar, start here.

Beanstalk is usually brought in to close a specific, recognisable gap. These pages go deeper on the situations we see most often.

Add MFA to legacy Windows applications without rewriting them
Legacy Windows desktop & client/server apps
Microsoft Entra ID sign-in for Delphi applications
Delphi / VCL desktop software
An OIDC/PKCE bridge for Windows desktop applications
System-browser sign-in via COM
Close the legacy-application gap in your MFA rollout
MFA exceptions, audits & cyber insurance
Modern SSO for older client/server applications
PowerBuilder, VB6, VBA, C++, older .NET
SSO for legacy ERP and desktop business applications
ERP companion tools & utilities

All product names, logos and trademarks are the property of their respective owners. References indicate compatibility, not endorsement or affiliation.

Need something specific?

Tell us which application and which identity provider, or which JDE pain point you're trying to close. We'll tell you quickly whether one of our tools is a fit and what integration looks like for your environment.

Contact us Browse products