Identity federation and directory sync across multiple IdPs

Context

Post-merger, multiple identity providers and on-prem directories forced repeated logins, spreadsheet-driven role mapping, and weak answers to “why did this principal have this permission then?”. Leadership wanted convergence within a few quarters without freezing day-to-day operations, aligned to HR as the authoritative people source.

Constraints

HR-driven attribute changes did not propagate uniformly, leaving stale roles. Token lifetimes differed across apps, creating subtle session-fixation exposure. Cross-region DNS and certificate misconfiguration intermittently broke mobile sign-in. Some legacy apps only accepted older SAML assertions while newer clients expected OIDC. Privileged access approvals still lived in email, disconnected from ticketing.

What we did

We introduced a single user-facing login path with consistent session timeouts, SCIM or reliable batch directory sync, and scheduled reconciliation jobs for orphan entitlements. Privileged roles gained stepped-up MFA and ticket-based approval. Dependent apps received standard OIDC metadata and health endpoints; CI validates TLS chains and JWKS rotation. Entitlement changes append to an auditable stream exportable by user or resource. A focused SAML adapter layer normalises legacy assertions and centralises login and attribute-change logging where short-term replacement was impossible.

Outcomes

Users see one login journey; temporary elevated access is ticket-bound and time-boxed. Audit sampling can reconstruct provenance in minutes. Mobile authentication failures dropped materially, and on-call guides were refreshed with escalation paths. The entry point can remain stable while underlying IdPs evolve in controlled phases.

← Back to case studies

Practical notes

When you translate this narrative into your backlog, keep acceptance tests adjacent to risk items: what would falsify the assumption that the control works end-to-end?

If procurement needs evidence packs, ask for redacted samples of artefacts we produce under similar engagements (pipeline gates, change records, runbook excerpts)—subject to confidentiality.

Questions aligned to this case study

How should we validate recommendations in production?

Start with non-production parity tests, canary slices, and explicit rollback owners. Measure business-critical transactions—not only infrastructure CPU.

What is the most common gap after technical delivery?

Operational ownership: dashboards without on-call routing, runbooks without named substitutes, and secrets without rotation drills. Close those gaps in the same programme, not as a separate “Phase 2”.

How do we integrate audit expectations?

Map controls to tickets and releases: who approved, what changed, what evidence exists. Narrative-only compliance rarely survives scrutiny.

When should we involve legal or privacy teams?

Before irreversible data migrations and before selecting subprocessors that will access personal information. Retrofitting lawful basis is painful.

What teams tell us after delivery

Composite themes from Australian enterprise and cross-border programmes—we do not attribute quotes to named clients on this marketing site.

Engineering finally had one reconcilable story with finance on cloud spend because tagging, budgets, and variance notes were wired into the same monthly export.

Head of Platform, regulated industry

Rollback stopped being a debate. Release records, canary gates, and feature-flag owners were written down before go-live, which shortened incident review.

Principal engineer, national operator

Insights library

Governance and engineering notes.

Contact

Introductions and follow-up questions.

Send a structured note

Opens your email client with a pre-filled message. For pricing bands use Request a quote.