The Challenge
Following a corporate divestiture from a major healthcare conglomerate, this national health insurance provider needed to stand up its own consumer identity infrastructure — fast. The organization had been relying on the parent company's Okta OIE tenant for consumer authentication on its healthcare.gov enrollment platform, serving the general public during open enrollment periods. Post-divestiture, they needed their own CIAM platform with full sovereignty over consumer identities. The challenge was monumental: 6.5 million consumer accounts needed to migrate from Okta OIE to Auth0/Okta CIC without disrupting the enrollment experience — during a period when any authentication failure could prevent a citizen from enrolling in healthcare coverage. The migration needed to be invisible to end users, preserve all MFA factor registrations, and be fully automated through CI/CD pipelines. There was no room for a "big bang" cutover or a manual migration window.
Our Approach
Designed and deployed a multi-tenant Auth0 architecture using a spec-driven design methodology — every tenant configuration, connection, rule, action, and form defined as code and deployed through CI/CD pipelines. Terraform managed the Auth0 tenant infrastructure, GitHub Actions orchestrated deployments, and Lambda functions handled custom integration logic. Zero manual configuration in the Auth0 dashboard.
Engineered a silent migration flow using Auth0's Custom Database Login Action. When users navigated to the application, a transition page informed them that the system had been upgraded and directed them to the new Auth0 login — instructing them to use their existing credentials. On form submission, the Custom DB Login Action script called the Okta AuthN API to validate the username and password against the source Okta OIE tenant. On successful authentication, Okta issued an access token containing user claims — firstName, lastName, email, mobile, policyNumber, and other profile attributes.
Extended the migration flow to port MFA factor registrations. After successful Okta authentication, the Login Action called the Okta Factors API to retrieve all registered factors — SMS, EMAIL, and VOICE. Available factors were appended as an array to the user profile returned to Auth0, creating the user in Auth0 on first login with their complete factor portfolio intact. A migration flag (password_reset_required) was set on the newly created Auth0 user to enforce credential separation from the source tenant.
Implemented a Post-Login Action trigger that detected the password_reset_required flag and forced users through a secure password reset flow — first verifying their identity via one of the MFA factors just ported from Okta (confirming the factor migration succeeded), then requiring a new Auth0 password distinct from their Okta credential. Designed extensive custom flows using Auth0 Forms for self-service experiences and configured the Auth0 Delegated Administration Extension for support team operations. The entire flow was invisible to users — they perceived a routine system upgrade, confirmed their MFA once, and set a new password.
Engagement Timeline
Divestiture Analysis & Architecture
Weeks 1-3Okta OIE tenant analysis, user population profiling (6.5M accounts), MFA factor inventory, Auth0 multi-tenant architecture design, spec-driven methodology definition, CI/CD pipeline architecture.
Auth0 Platform Build & CI/CD
Weeks 4-7Terraform Auth0 tenant provisioning, GitHub Actions pipeline development, Lambda integration functions, Custom DB Login Action development, Okta AuthN API integration, Okta Factors API factor porting logic.
Migration Flow Engineering
Weeks 8-11Silent migration flow implementation, transition page design, Post-Login Action for password reset enforcement, Auth0 Forms custom flows, Delegated Administration Extension configuration, end-to-end migration testing with production data subsets.
Staged Rollout & Monitoring
Weeks 12-14Phased traffic cutover from Okta to Auth0, real-time migration telemetry, factor porting success rate monitoring, user experience validation, support team enablement via DAE.
Full Migration & Handoff
Weeks 15-16Complete traffic migration, Okta OIE decommission planning, migration completion validation across all 6.5M accounts, operational runbook delivery, hypercare through open enrollment period.
The Results
All 6.5 million consumer identities silently migrated from Okta OIE to Auth0 with zero user-reported issues — users experienced what appeared to be a routine system upgrade, not a platform migration.
MFA factor registrations (SMS, EMAIL, VOICE) preserved through automated Okta Factors API porting — users confirmed their existing factor once and set a new password, with no re-enrollment required.
Credential separation achieved between source and target platforms — every migrated user established a unique Auth0 password, eliminating cross-platform credential reuse risk post-divestiture.
Entire deployment fully automated through CI/CD — Terraform for Auth0 tenant infrastructure, GitHub Actions for pipeline orchestration, Lambda functions for integration logic, Auth0 Actions and Forms defined as code. Zero manual dashboard configuration.
"TechSquad migrated 6.5 million consumer identities — including their MFA factors — without a single user knowing it happened. Our members thought we upgraded the system. They confirmed their phone number, set a new password, and moved on. That is the definition of a flawless migration. And the fact that every piece of it was deployed through CI/CD pipelines means we can operate it ourselves going forward."
VP of Digital Technology, National Health Insurance Provider
Technologies Deployed
Related Case Studies
National Health IT Enterprise
End-to-end identity automation — building a fully automated zero-trust pipeline from cloud infrastructure provisioning through federated just-in-time access with automated session cleanup.
Orphaned accounts eliminated
Provisioning time reduction
Standing cloud privileges
Global Travel Technology Provider
Legacy modernization of 340+ applications, consumer-facing partner platform identity, cloud-native authorization for Kubernetes microservices — and an active credential compromise requiring immediate threat response.
Apps migrated to Okta OIE
Threat actor identified
Repeat incidents post-remediation
Global Hospitality Leader
Complete identity modernization across 6,000+ properties — migrating legacy SiteMinder and CA IDM, enabling contactless mobile guest experiences, and implementing network security at global scale.
Properties unified
Helpdesk ticket reduction
Global auth latency
Ivy League Research University
Complete identity overhaul across 11 academic schools, 2 teaching hospitals, and 3 government research institutions — unifying incompatible authoritative sources into a centralized directory from the ground up.
Institutions unified
Academic schools consolidated
Data loss during migration
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Global Luxury Retail Brand
Enterprise-wide identity modernization for a global luxury retailer — migrating 500+ apps from PingFederate to Okta OIE, automating lifecycle management for workforce and retail store users, and achieving passwordless authentication on managed devices.
Apps migrated to Okta OIE
Managed device passwordless
Manual enrollment steps
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions