The Challenge
This global luxury retail brand operates thousands of stores across dozens of countries, with a workforce spanning corporate employees, retail store associates, and seasonal staff. Their identity infrastructure was anchored on PingFederate protecting 500+ applications — but the platform lacked the adaptive enrollment, progressive profiling, and device-aware authentication capabilities that modern retail operations demanded. Lifecycle management was fragmented: joiners waited days for access, movers retained stale entitlements, and leavers left orphaned accounts across retail and corporate systems. Privileged credentials for store infrastructure and back-office systems were managed manually with no vaulting or rotation. The organization also needed a path to passwordless authentication for managed devices — reducing friction for store employees who authenticate dozens of times per shift while maintaining security posture across a geographically distributed retail footprint.
Our Approach
Executed a full-scale migration from PingFederate to Okta OIE across 500+ applications using a hub-and-spoke federation model. Implemented progressive profiling to incrementally collect user attributes during authentication — eliminating lengthy upfront registration for retail and consumer-facing applications — and adaptive enrollment to dynamically adjust MFA requirements based on user risk, device posture, and network context.
Deployed SailPoint ISC as the identity governance platform, automating the complete Joiner/Mover/Leaver lifecycle for all workforce populations — corporate employees, retail store associates, and seasonal staff. Birthright access for SSO and MFA was provisioned automatically on day one. Access requests, certifications, and role-based entitlements were unified across the entire retail and corporate user base.
Integrated Delinea Secrets Server for privileged access management, vaulting store infrastructure credentials, back-office service accounts, and administrative access — all managed through SailPoint ISC for unified governance. Privileged access requests, approvals, and credential checkout flowed through the same governance framework as standard access.
Connected SailPoint ISC with Microsoft Intune and VMware Workspace ONE for managed device compliance governance. Okta Verify and Okta for Windows Login were pushed to all managed devices through the MDM platforms, and users were auto-enrolled in Okta FastPass — enabling passwordless authentication on managed devices and seamless SSO when connecting from a managed device on the corporate network. Zero manual enrollment steps required.
Engagement Timeline
Discovery & Migration Architecture
Weeks 1-3PingFederate application inventory, hub-and-spoke federation design, Okta OIE tenant architecture, progressive profiling and adaptive enrollment strategy, MDM integration scoping.
PingFederate-to-Okta Migration
Weeks 4-10Phased application migration in priority waves, SAML/OIDC connector development, progressive profiling configuration, adaptive MFA enrollment rollout, zero-downtime cutover.
IGA & Lifecycle Automation
Weeks 8-14SailPoint ISC deployment, J/M/L workflow automation for workforce and retail populations, birthright SSO/MFA provisioning, access certification campaigns, Delinea integration.
Device Compliance & Passwordless
Weeks 13-18Intune and Workspace ONE integration with ISC, Okta Verify and Okta for Windows Login MDM push, FastPass auto-enrollment, managed device passwordless authentication validation.
Validation & Operational Handoff
Weeks 19-20End-to-end lifecycle testing across all user populations, passwordless flow validation on managed devices, on-network seamless SSO testing, runbook delivery, hypercare.
The Results
All 500+ applications migrated from PingFederate to Okta OIE with progressive profiling and adaptive enrollment — reducing user registration friction by 60% while strengthening security posture through risk-based MFA.
Joiner/Mover/Leaver lifecycle fully automated through SailPoint ISC — new hire access provisioned in under 2 hours (down from 3 days), role changes reflected within 15 minutes, and terminations deprovisioned across all systems automatically.
Passwordless authentication achieved on all managed devices via Okta FastPass — store associates authenticate without passwords, reducing per-shift authentication friction and eliminating password-related helpdesk tickets for managed devices.
Unified privileged access governance through Delinea Secrets Server managed by SailPoint ISC — all privileged credentials vaulted, rotated automatically, and governed through the same certification workflows as standard access.
"TechSquad migrated 500 applications, automated our entire identity lifecycle for corporate and retail users, and delivered passwordless authentication to every managed device — all in 20 weeks. Our store associates no longer type passwords. Our IT team no longer processes access requests manually. The transformation was total."
VP of Global IT Security, Global Luxury Retail Brand
Technologies Deployed
Related Case Studies
National Health IT Enterprise
End-to-end identity automation — building a fully automated zero-trust pipeline from cloud infrastructure provisioning through federated just-in-time access with automated session cleanup.
Orphaned accounts eliminated
Provisioning time reduction
Standing cloud privileges
Global Travel Technology Provider
Legacy modernization of 340+ applications, consumer-facing partner platform identity, cloud-native authorization for Kubernetes microservices — and an active credential compromise requiring immediate threat response.
Apps migrated to Okta OIE
Threat actor identified
Repeat incidents post-remediation
Global Hospitality Leader
Complete identity modernization across 6,000+ properties — migrating legacy SiteMinder and CA IDM, enabling contactless mobile guest experiences, and implementing network security at global scale.
Properties unified
Helpdesk ticket reduction
Global auth latency
Ivy League Research University
Complete identity overhaul across 11 academic schools, 2 teaching hospitals, and 3 government research institutions — unifying incompatible authoritative sources into a centralized directory from the ground up.
Institutions unified
Academic schools consolidated
Data loss during migration
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions
National Health Insurance Provider
Post-divestiture CIAM transformation — silently migrating 6.5 million consumer identities from Okta OIE to Auth0 for a public-facing healthcare enrollment platform, with zero user disruption and full CI/CD automation.
Users silently migrated
User-reported issues
CI/CD automated