Enterprise SSO and SAML integration: one capability, five contexts

Enterprise SSO and SAML integration: one capability, five contexts logo
Enterprise SSO and SAML integration: one capability, five contexts client logo

Large organizations standardize identity. They run Okta or another SAML identity provider so every employee, and sometimes every customer, has one set of credentials that works across every internal system. The moment a website or portal needs to live inside that world, it has to speak the same protocol, provision the right people automatically, and apply the right permissions. Otherwise it becomes the one system everyone needs a separate password for, and the one account set IT has to manage by hand.

We have built that integration five times, on two CMS platforms and across five very different contexts. Each one connects the site to the organization's existing identity provider with a custom SAML 2.0 implementation: service-provider-initiated login, assertion parsing and signature validation, attribute mapping, automatic account creation on first login, and role or group assignment derived from the identity provider. What changes from one to the next is the context the integration has to satisfy, and that range is the proof.

At a glance

  • Five organizations, one capability: custom SAML 2.0 single sign-on
  • Contexts: internal team, B2C customer portal, regulated bank, multi-role university, legacy CMS
  • Platforms: Craft CMS and ExpressionEngine
  • Identity providers: Okta and other corporate SAML providers
  • Every integration includes automatic provisioning and role or group sync from the identity provider

One capability, five contexts

IDEO: an internal team that never stops changing. IDEO is a global design and innovation consultancy with a fluid roster of designers, strategists, contractors, and collaborators across multiple offices. We built a custom Okta SAML plugin for their Craft CMS site so anyone added to Okta gains access automatically on first login, with their profile and role synced on the way in. No manual account creation, no invitations, and identity stays centralized in Okta, exactly what a fast-moving organization with constant team changes needs.

Sonos: single sign-on at consumer scale. Unlike an internal tool, Sonos's portal serves customers: product registration, warranty, support, and account management. We built the Okta SSO integration to handle consumer traffic patterns rather than a handful of employees, linked customer accounts to their registered products, and hardened it with graceful fallback handling and comprehensive test coverage, because at consumer scale every authentication hiccup turns into a support ticket.

A regional bank: authentication that has to pass an audit. A regional bank holds authentication to a higher standard than a typical business. We built the SAML integration for their Craft CMS site with strict session security (configurable timeouts, secure token handling, clean session termination) and audit-ready logging of authentication events, integrated with the bank's corporate identity provider and security policies. Employees use their existing corporate credentials, and the security team gets the controls and the audit trail the sector requires.

Pratt Institute: one system, three kinds of user. A university website serves students, faculty, and staff, each needing different access, and some people are more than one of those at once. We built the SAML integration to read each person's role from the institutional identity provider during login, map it to the right permissions and content visibility, and handle the edge cases, like the staff member who is also a part-time student. Accounts are provisioned and updated automatically as institutional status changes.

SteadyVision: single sign-on where none existed. SteadyVision runs on ExpressionEngine, a legacy CMS with no off-the-shelf enterprise SSO option and an add-on architecture unlike modern platforms. We built the full SAML 2.0 module from first principles against ExpressionEngine's own extension and member systems, proving enterprise authentication can be met even on a platform where no existing path exists.

What it proves

Across all five, the outcome is the same: people sign in with the credentials they already have, the right accounts appear and update automatically, the right permissions apply, and identity stays centralized in the system the organization already trusts. The variety is the depth: consumer scale, financial-sector security, multi-role institutions, and unsupported legacy platforms are each their own problem, and the same SAML integration capability absorbs all of them. If a buyer's question is whether we can make their site work with their identity provider, the answer is yes, proven five ways.

If your website or portal needs to plug into Okta or another identity provider, that is exactly the integration work we do. Talk about your integration.

Author

Need Similar Solutions?

If you're facing similar challenges or want to explore how I can help with your project, let's talk.

Get in Touch

Services

Used technologies

Weekly Newsletter

Subscribe for monthly, practical AI demos designed to cut friction and boost real results for marketing, sales, and operations leaders.