The Challenge
This global hospitality leader operates 6,000+ properties across 100+ countries and 19 brands. Their identity and security infrastructure had accumulated decades of technical debt — CA SiteMinder for SSO, CA IDM for identity management, fragmented Active Directory forests per region, and no unified lifecycle management. Each brand and region had evolved its own authentication flows — resulting in 23 distinct authentication paths, a 12% failure rate, and helpdesk tickets for password resets consuming 30% of IT support capacity. Beyond employee identity, the organization had a strategic mandate to enable contactless mobile check-in across all properties worldwide — requiring a modern identity platform that could support guest-facing mobile experiences alongside enterprise SSO. Network security was equally fragmented, with no centralized CASB or vulnerability management.
Our Approach
Migrated the entire SSO infrastructure from CA SiteMinder to Ping Identity services — PingFederate for centralized federation with adaptive MFA, PingAccess for API gateway security — deploying a hub-and-spoke model across all 19 brands with geo-distributed clusters for sub-second global authentication.
Replaced CA IDM with SailPoint IIQ for identity governance, automating the full employee lifecycle from birthright provisioning through access certification to termination deprovisioning. SSO and MFA entitlements were provisioned as birthright access — every new employee automatically received federated SSO credentials and MFA enrollment on day one, zero manual steps.
Designed and deployed the contactless mobile check-in platform across all hotel properties worldwide in phased rollouts — integrating mobile device identity with the centralized Ping Identity platform so guests could check in, receive their room assignment, and unlock their door from their phone without visiting the front desk.
Implemented Netskope for cloud access security brokerage (CASB/SASE) and Skybox for vulnerability and security policy management — providing unified visibility into cloud application usage, network exposure, and policy compliance across all 6,000+ properties.
Engagement Timeline
Legacy Assessment & Architecture
Weeks 1-4SiteMinder and CA IDM inventory, 23 authentication flow catalog, brand-by-brand migration plan, Ping Identity cluster topology design, Netskope/Skybox scoping.
SSO & Federation Migration
Weeks 5-10SiteMinder-to-PingFederate migration, PingAccess API gateway deployment, adaptive MFA rollout, geo-distributed cluster validation, zero-downtime cutover.
IDM Modernization & LCM Automation
Weeks 8-14CA IDM decommission, SailPoint IIQ deployment, birthright provisioning for SSO/MFA, automated lifecycle management, certification campaign configuration.
Contactless Mobile Check-In
Weeks 12-18Mobile identity integration with Ping platform, guest-facing authentication flows, property-level rollout in regional phases, front-desk bypass validation.
Network Security & Handoff
Weeks 18-22Netskope CASB/SASE deployment, Skybox vulnerability management rollout, policy unification across properties, operational handoff, hypercare.
The Results
Unified single sign-on with adaptive MFA deployed across all 6,000+ properties — the first time in company history that every brand, region, and property shared a common authentication platform.
Helpdesk tickets for authentication and password issues dropped 40% — freeing IT support to focus on strategic initiatives rather than credential resets.
Contactless mobile check-in launched across all properties in phased rollouts — enabling guests worldwide to bypass the front desk entirely, improving satisfaction scores and reducing lobby congestion.
Netskope and Skybox deployment gave security teams the first-ever unified view of cloud application usage, network vulnerabilities, and policy compliance across the entire global property footprint.
"TechSquad transformed our entire identity and security infrastructure — SSO, identity management, mobile guest experience, and network security — across 6,000 properties in 22 weeks. The contactless mobile check-in alone changed how our guests experience our brand. And the 40% drop in helpdesk tickets changed how our IT teams spend their time."
SVP of Global Technology, Global Hospitality Leader
Technologies Deployed
Related Case Studies
National Health IT Enterprise
End-to-end identity automation — building a fully automated zero-trust pipeline from cloud infrastructure provisioning through federated just-in-time access with automated session cleanup.
Orphaned accounts eliminated
Provisioning time reduction
Standing cloud privileges
Global Travel Technology Provider
Legacy modernization of 340+ applications, consumer-facing partner platform identity, cloud-native authorization for Kubernetes microservices — and an active credential compromise requiring immediate threat response.
Apps migrated to Okta OIE
Threat actor identified
Repeat incidents post-remediation
Ivy League Research University
Complete identity overhaul across 11 academic schools, 2 teaching hospitals, and 3 government research institutions — unifying incompatible authoritative sources into a centralized directory from the ground up.
Institutions unified
Academic schools consolidated
Data loss during migration
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Global Luxury Retail Brand
Enterprise-wide identity modernization for a global luxury retailer — migrating 500+ apps from PingFederate to Okta OIE, automating lifecycle management for workforce and retail store users, and achieving passwordless authentication on managed devices.
Apps migrated to Okta OIE
Managed device passwordless
Manual enrollment steps
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions
National Health Insurance Provider
Post-divestiture CIAM transformation — silently migrating 6.5 million consumer identities from Okta OIE to Auth0 for a public-facing healthcare enrollment platform, with zero user disruption and full CI/CD automation.
Users silently migrated
User-reported issues
CI/CD automated