The Challenge
After a series of acquisitions, this national health IT enterprise inherited a sprawling identity landscape with no unified governance. Over 2,400 orphaned accounts persisted across Active Directory and downstream applications — each one an unmonitored attack surface. Manual provisioning consumed 5-7 business days per request. But the deeper challenge was architectural: the organization was migrating hundreds of applications to AWS and needed a fully automated pipeline that could onboard both on-premises and SaaS applications, provision role-based access, and federate identities into AWS — all without standing privileges. With SOX and HIPAA audits approaching, they needed zero-trust access from day one.
Our Approach
Designed a fully automated end-to-end pipeline triggered by Terraform submissions during AWS application onboarding. Each infrastructure request automatically initiated the identity provisioning chain — no manual handoffs, no tickets, no delays.
Integrated SailPoint IIQ as the central IGA engine. On application onboarding, SailPoint automatically created the organizational unit structure in Active Directory — OU=<CMDB-AppID> with nested OUs for Dev, Admin, and End-User roles, and corresponding CN groups beneath each — tied directly to the ServiceNow CMDB application record.
Extended Ping Directory Services from on-premises into the private cloud, deploying proxy servers co-located with cloud workloads for low-latency authentication. PingFederate served as the enterprise IDP, embedding each user's RBAC attributes and group memberships into SAML assertions and OAuth tokens at authentication time.
Configured AWS SSO to consume the incoming SAML/OAuth responses from PingFederate, validate the claims, and dynamically map them to the corresponding AWS IAM Role ARNs. Access was provisioned as just-in-time federated identities via Amazon Cognito — users received precisely scoped AWS sessions with zero standing privileges. On logout, a Lambda function automatically cleaned up the JIT Cognito user, ensuring no residual access persisted beyond the session.
Engagement Timeline
Discovery & Landscape Assessment
Weeks 1-3Identity landscape mapping across 47 connected applications, orphaned account identification, CMDB-to-AD gap analysis, and zero-trust architecture requirements gathering.
Pipeline Architecture & Design
Weeks 4-6Terraform-to-SailPoint integration design, AD OU/group schema modeling per CMDB AppID, Ping Directory cloud extension topology, PingFederate claim mapping strategy.
IGA & Directory Build
Weeks 7-10SailPoint IIQ lifecycle automation, automated AD OU/group provisioning, Ping Directory proxy deployment in private cloud, PingFederate SAML/OAuth configuration.
AWS Federation & JIT Access
Weeks 11-15AWS SSO integration, IAM Role ARN mapping to federated claims, Cognito JIT user provisioning, Lambda session cleanup automation, end-to-end pipeline testing.
Go-Live & Compliance Validation
Weeks 16-18Production cutover, SOX/HIPAA evidence automation, zero-trust posture validation, operational runbook handoff, 30-day hypercare.
The Results
All 2,400+ orphaned accounts identified and remediated within the first 6 weeks — eliminating the largest single source of audit findings.
Application onboarding reduced from 5-7 business days to fully automated, zero-touch provisioning triggered by a single Terraform submission.
Zero standing cloud privileges achieved — every AWS session was JIT-provisioned via Cognito federation and automatically cleaned up on logout via Lambda.
Achieved full SOX and HIPAA audit readiness with automated evidence collection, replacing manual spreadsheet-based compliance processes entirely.
"TechSquad built something we didn't think was possible — a single Terraform submission triggers the entire identity lifecycle, from AD group creation through federated AWS access, with automatic cleanup on logout. Zero standing privileges, zero manual steps, fully auditable. This is what zero trust actually looks like in practice."
VP of Information Security, National Health IT Enterprise
Technologies Deployed
Related Case Studies
Global Travel Technology Provider
Legacy modernization of 340+ applications, consumer-facing partner platform identity, cloud-native authorization for Kubernetes microservices — and an active credential compromise requiring immediate threat response.
Apps migrated to Okta OIE
Threat actor identified
Repeat incidents post-remediation
Global Hospitality Leader
Complete identity modernization across 6,000+ properties — migrating legacy SiteMinder and CA IDM, enabling contactless mobile guest experiences, and implementing network security at global scale.
Properties unified
Helpdesk ticket reduction
Global auth latency
Ivy League Research University
Complete identity overhaul across 11 academic schools, 2 teaching hospitals, and 3 government research institutions — unifying incompatible authoritative sources into a centralized directory from the ground up.
Institutions unified
Academic schools consolidated
Data loss during migration
Fortune 500 Healthcare
Identity consolidation — unifying 12 disparate identity stores from M&A activity into a single governed view without data migration.
Identity stores unified
Provisioning time
Downtime during migration
Global Luxury Retail Brand
Enterprise-wide identity modernization for a global luxury retailer — migrating 500+ apps from PingFederate to Okta OIE, automating lifecycle management for workforce and retail store users, and achieving passwordless authentication on managed devices.
Apps migrated to Okta OIE
Managed device passwordless
Manual enrollment steps
Top-Tier Global Bank
Full identity modernization for a top-tier global bank — replicating the enterprise identity stack (Okta OIE, SailPoint ISC, Delinea, device compliance, passwordless) and then migrating 380+ customer-facing applications from Okta OIE to Okta CIC for consumer identity.
Apps migrated OIE → CIC
Workforce apps on Okta OIE
Customer auth disruptions
National Health Insurance Provider
Post-divestiture CIAM transformation — silently migrating 6.5 million consumer identities from Okta OIE to Auth0 for a public-facing healthcare enrollment platform, with zero user disruption and full CI/CD automation.
Users silently migrated
User-reported issues
CI/CD automated