The simplest thing to do would be to mirror the Basic Auth users in tyk by just adding them in using the REST API, then the access would be transparent.
The next best thing to do would be to create PRE middleware function that extracts the BA details from the header, authenticates with the IDP (and maybe caches the result in memory) and then uses the Tyk API manually to generate a token based on a unique hash of the username.
This way, if the user shows up, you generate the hash, check for the key using the
GetKeyData function, if the hashed version exists, insert it into the header and let the request continue through Tyk. If the hashed key does not exist, then create one based on the hash using
SetKeyData, if you set your API session expiry to be very low then you can manage re-auth and have users utilise your API transparently (at the cost of some JSVM overhead).
I would go one step further and make this legacy API a separate API Definition to anything newer so that users that switch over to the non-legacy IDP / API get slightly faster response times (no JSVM running).
Hope that makes sense