The Challenge
This global travel technology provider operated the backbone infrastructure connecting airlines, travel agencies, and hospitality partners worldwide. Their identity infrastructure was anchored on aging CA SiteMinder protecting 340+ applications — a platform that had reached end-of-life and could no longer support modern authentication protocols. Simultaneously, they were launching an Open Distribution Services platform — a consumer-facing marketplace where travel agencies register, onboard, and transact as partners. The platform required modern identity with fine-grained authorization across containerized microservices running in Kubernetes. To compound the challenge, a credential compromise incident emerged mid-engagement: admin credentials for their ServiceNow instance were discovered scraped from a public GitHub repository and were being actively exploited by threat actors impersonating the brand to defraud airline passengers through fake travel agency storefronts.
Our Approach
Executed a full-scale migration from CA SiteMinder to Okta OIE across 340+ applications — modernizing authentication from legacy cookie-based sessions to SAML 2.0 and OIDC federation. Each application was assessed, categorized by integration complexity, and migrated in prioritized waves with zero-downtime cutover.
Architected the identity layer for the Open Distribution Services platform using Okta OIE as the central IDP, CyberArk for privileged access management of platform infrastructure, and SailPoint for partner lifecycle management — enabling travel agencies to self-register, complete verification, and receive precisely scoped access to distribution APIs.
Deployed Open Policy Agent (OPA) with Styra as authentication and authorization sidecars for containerized microservices in Kubernetes. The enterprise IDP was federated as the third-party identity provider for Styra, enabling fine-grained RBAC decisions at the service mesh layer — every API call authenticated and authorized against centrally managed policies without application-level code changes.
Responded to the active credential compromise by designing AI-powered decoy bots seeded with legitimate consumer identity profiles from the partner user directory. These bots engaged the threat actors as interested ticket purchasers, generating transactional activity that enabled real-time access log tracing. Live tailing of authentication and transaction logs during the sting operation captured the attackers' source IPs, session patterns, and infrastructure fingerprints — evidence that was compiled and reported to law enforcement, resulting in the identification and arrest of the fraud operation.
Engagement Timeline
Assessment & Migration Planning
Weeks 1-4SiteMinder application inventory, integration complexity scoring, Okta OIE tenant architecture, migration wave prioritization across 340+ applications.
SiteMinder-to-Okta Migration
Weeks 5-12Phased application migration in priority waves, SAML/OIDC connector development, MFA enrollment, legacy session decommission, zero-downtime cutover validation.
Platform Identity & OPA/Styra
Weeks 13-18Open Distribution Services identity architecture, CyberArk PAM integration, SailPoint partner lifecycle, OPA/Styra sidecar deployment in Kubernetes, enterprise IDP federation for fine-grained RBAC.
Incident Response & Threat Containment
Weeks 14-17Credential compromise triage, GitHub exposure remediation, AI decoy bot deployment, live access log tracing, evidence compilation, law enforcement coordination.
Hardening & Operational Handoff
Weeks 19-24Secret scanning automation, credential rotation across all environments, security monitoring enhancement, operational runbook delivery, hypercare.
The Results
All 340+ applications successfully migrated from SiteMinder to Okta OIE with zero authentication outages during the transition — decommissioning a decade-old legacy platform.
Open Distribution Services platform launched with modern identity — travel agency partners onboard through automated workflows with API-scoped access provisioned in minutes, not weeks.
OPA/Styra sidecars enforcing fine-grained RBAC across all Kubernetes microservices — every API request authenticated and authorized at the mesh layer with centralized policy management.
Credential compromise fully contained — threat actors identified through AI-assisted sting operation, evidence compiled for law enforcement, and the fraud ring was shut down with arrests in multiple countries.
"TechSquad migrated 340 applications off SiteMinder without a single outage, built the identity layer for our partner platform, and — when we were actively being compromised — designed the operation that caught the attackers. That is not a normal consulting engagement. That is a team you trust with your business."
CISO, Global Travel Technology Provider
Technologies Deployed
Related Case Studies
National Health IT Enterprise
End-to-end identity automation — building a fully automated zero-trust pipeline from cloud infrastructure provisioning through federated just-in-time access with automated session cleanup.
Orphaned accounts eliminated
Provisioning time reduction
Standing cloud privileges
Global Hospitality Leader
Complete identity modernization across 6,000+ properties — migrating legacy SiteMinder and CA IDM, enabling contactless mobile guest experiences, and implementing network security at global scale.
Properties unified
Helpdesk ticket reduction
Global auth latency
Ivy League Research University
Complete identity overhaul across 11 academic schools, 2 teaching hospitals, and 3 government research institutions — unifying incompatible authoritative sources into a centralized directory from the ground up.
Institutions unified
Academic schools consolidated
Data loss during migration
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Global Luxury Retail Brand
Enterprise-wide identity modernization for a global luxury retailer — migrating 500+ apps from PingFederate to Okta OIE, automating lifecycle management for workforce and retail store users, and achieving passwordless authentication on managed devices.
Apps migrated to Okta OIE
Managed device passwordless
Manual enrollment steps
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions
National Health Insurance Provider
Post-divestiture CIAM transformation — silently migrating 6.5 million consumer identities from Okta OIE to Auth0 for a public-facing healthcare enrollment platform, with zero user disruption and full CI/CD automation.
Users silently migrated
User-reported issues
CI/CD automated