Legacy Windows application MFA · Beanstalk Authentication Broker

Add MFA to legacy Windows applications without rewriting them.

Older desktop and client/server applications often remain essential long after identity policy has moved on. Beanstalk gives those applications a practical path to modern SSO and MFA through a local authentication broker instead of a replacement project.

MFA for old Windows apps SSO without rewrite Uses existing IdP COM automation bridge
Ask if Beanstalk fits your application View main Beanstalk page

The awkward exception in many MFA rollouts.

A business can standardise on Microsoft Entra ID, Okta, Google, Auth0, ADFS, Keycloak or another identity platform and still have critical Windows applications using their own local login screens.

Those applications are often too important to replace quickly, too stable to disturb unnecessarily, and too old to natively support OIDC, PKCE, browser-based sign-in or modern MFA prompts.

The result is an identity-policy gap: everything modern is protected, while one important finance, operations, ERP or administration tool remains an exception.

Where Beanstalk fits

  • Beanstalk runs beside the application and exposes a COM Automation interface that legacy Windows software can call.
  • It opens the user’s normal browser, sends the user to the configured identity provider, completes the OIDC/PKCE flow, and returns a verified identity result to the calling application.
  • The legacy application does not need to know how to perform browser sign-in, token exchange, JWKS validation, MFA, claim retrieval or provider-specific protocol details.

Good candidates

  • Internal line-of-business applications where source changes are possible but a full authentication rewrite is not justified.
  • ERP companion tools, finance applications, operational utilities, administrative tools and bespoke Windows software that still serve a real business purpose.
  • Applications where the business requirement is not a new platform, but central sign-on, MFA enforcement and auditable identity.

What remains under your control

  • Identity policy remains in the identity provider your organisation already governs.
  • The application still decides how the verified user maps to its own user records, permissions and business rules.
  • Beanstalk acts as the bridge, not as a new identity silo or a replacement security model.
Practical next step

Find out whether your application is a good candidate.

Tell us the application technology, current login method, identity provider and deployment model. We can usually tell quickly whether Beanstalk is a practical fit, what would need to change, and where the integration risk sits.

Order or Inquire

Common questions

No. A normal OIDC application registration is usually enough. Beanstalk is designed to work with the identity provider you already use.

No. Beanstalk authenticates the user and returns verified identity details. The application still controls its own authorisation and business permissions.

Sometimes it helps, but it is not the same as application-level identity. Beanstalk gives the application a verified user identity instead of only protecting the path to the machine or network.

Related Beanstalk resources

Microsoft Entra ID sign-in for Delphi applications
Related Beanstalk resource page
An OIDC/PKCE bridge for Windows desktop applications
Related Beanstalk resource page
Close the legacy-application gap in your MFA rollout
Related Beanstalk resource page
Modern SSO for older client/server applications
Related Beanstalk resource page
SSO for legacy ERP and desktop business applications
Related Beanstalk resource page

All product names, logos and trademarks are the property of their respective owners. References indicate compatibility, not endorsement or affiliation.

Need something specific?

Tell us which application and which identity provider, or which JDE pain point you're trying to close. We'll tell you quickly whether one of our tools is a fit and what integration looks like for your environment.

Contact us Browse products