Delphi desktop application sign-in · Beanstalk Authentication Broker

Microsoft Entra ID sign-in for Delphi applications.

Delphi applications often have long productive lives. Beanstalk lets Delphi VCL and Windows desktop applications call a local COM broker, use the organisation’s browser-based Entra ID sign-in, and receive a verified identity result without turning the application into an identity-protocol project.

Delphi / VCL friendly Microsoft Entra ID OIDC/PKCE MFA through policy
Ask if Beanstalk fits your application View main Beanstalk page

Delphi is productive. Authentication protocols are not.

A Delphi application can be stable, valuable and business-critical while still using an authentication approach designed before cloud identity became standard.

Adding Entra ID directly can become a distraction: browser launch, redirect handling, PKCE, token exchange, JWKS validation, cache rules, claim mapping and policy behaviour all need careful handling.

Beanstalk keeps that work outside the application and gives Delphi code a small integration surface through COM.

How the Delphi application uses it

  • The application calls Beanstalk through COM Automation when it needs to authenticate a user.
  • Beanstalk opens the browser and performs the OIDC/PKCE flow against Microsoft Entra ID or another configured provider.
  • The application receives identity details such as principal name, display name, domain, groups or claims and then applies its own existing user mapping rules.

Why this is useful for existing VCL systems

  • You can preserve the working application and add modern sign-in at the edge of the codebase instead of rebuilding core login logic.
  • The user sees the same Entra ID and MFA experience they already know from Microsoft 365 and other enterprise applications.
  • IT keeps authentication policy, conditional access and audit trails in the central identity platform.

Beyond Entra ID

  • The same application pattern can be used with Okta, Google, Auth0, ADFS, Keycloak, PingOne, Oracle and other supported OIDC environments.
  • Environment-specific provider settings allow one application deployment model to work across different customers or tenants.
  • This is especially useful for software vendors and consultants maintaining Delphi applications across multiple sites.
Practical next step

Find out whether your application is a good candidate.

Tell us the application technology, current login method, identity provider and deployment model. We can usually tell quickly whether Beanstalk is a practical fit, what would need to change, and where the integration risk sits.

Order or Inquire

Common questions

No. The point is to help existing Delphi applications adopt modern sign-in without a broad rewrite.

No. Authentication happens in the browser and identity provider. The application receives the verified result, not the password.

Generally yes, provided the application can call COM Automation and can make a small integration change around its login process.

Related Beanstalk resources

Add MFA to legacy Windows applications without rewriting them
Related Beanstalk resource page
An OIDC/PKCE bridge for Windows desktop applications
Related Beanstalk resource page
Close the legacy-application gap in your MFA rollout
Related Beanstalk resource page
Modern SSO for older client/server applications
Related Beanstalk resource page
SSO for legacy ERP and desktop business applications
Related Beanstalk resource page

All product names, logos and trademarks are the property of their respective owners. References indicate compatibility, not endorsement or affiliation.

Need something specific?

Tell us which application and which identity provider, or which JDE pain point you're trying to close. We'll tell you quickly whether one of our tools is a fit and what integration looks like for your environment.

Contact us Browse products