Large organizations standardize identity. They run Okta or another SAML identity provider so every employee, and sometimes every customer, has one set of credentials that works across every internal system. The moment a website or portal needs to live inside that world, it has to speak the same protocol, provision the right people automatically, and apply the right permissions. Otherwise it becomes the one system everyone needs a separate password for, and the one account set IT has to manage by hand.
We have built that integration five times, on two CMS platforms and across five very different contexts. Each one connects the site to the organization's existing identity provider with a custom SAML 2.0 implementation: service-provider-initiated login, assertion parsing and signature validation, attribute mapping, automatic account creation on first login, and role or group assignment derived from the identity provider. What changes from one to the next is the context the integration has to satisfy, and that range is the proof.
At a glance
- Five organizations, one capability: custom SAML 2.0 single sign-on
- Contexts: internal team, B2C customer portal, regulated bank, multi-role university, legacy CMS
- Platforms: Craft CMS and ExpressionEngine
- Identity providers: Okta and other corporate SAML providers
- Every integration includes automatic provisioning and role or group sync from the identity provider
One capability, five contexts
IDEO: an internal team that never stops changing. IDEO is a global design and innovation consultancy with a fluid roster of designers, strategists, contractors, and collaborators across multiple offices. We built a custom Okta SAML plugin for their Craft CMS site so anyone added to Okta gains access automatically on first login, with their profile and role synced on the way in. No manual account creation, no invitations, and identity stays centralized in Okta, exactly what a fast-moving organization with constant team changes needs.
Sonos: single sign-on at consumer scale. Unlike an internal tool, Sonos's portal serves customers: product registration, warranty, support, and account management. We built the Okta SSO integration to handle consumer traffic patterns rather than a handful of employees, linked customer accounts to their registered products, and hardened it with graceful fallback handling and comprehensive test coverage, because at consumer scale every authentication hiccup turns into a support ticket.
A regional bank: authentication that has to pass an audit. A regional bank holds authentication to a higher standard than a typical business. We built the SAML integration for their Craft CMS site with strict session security (configurable timeouts, secure token handling, clean session termination) and audit-ready logging of authentication events, integrated with the bank's corporate identity provider and security policies. Employees use their existing corporate credentials, and the security team gets the controls and the audit trail the sector requires.
Pratt Institute: one system, three kinds of user. A university website serves students, faculty, and staff, each needing different access, and some people are more than one of those at once. We built the SAML integration to read each person's role from the institutional identity provider during login, map it to the right permissions and content visibility, and handle the edge cases, like the staff member who is also a part-time student. Accounts are provisioned and updated automatically as institutional status changes.
SteadyVision: single sign-on where none existed. SteadyVision runs on ExpressionEngine, a legacy CMS with no off-the-shelf enterprise SSO option and an add-on architecture unlike modern platforms. We built the full SAML 2.0 module from first principles against ExpressionEngine's own extension and member systems, proving enterprise authentication can be met even on a platform where no existing path exists.
What it proves
Across all five, the outcome is the same: people sign in with the credentials they already have, the right accounts appear and update automatically, the right permissions apply, and identity stays centralized in the system the organization already trusts. The variety is the depth: consumer scale, financial-sector security, multi-role institutions, and unsupported legacy platforms are each their own problem, and the same SAML integration capability absorbs all of them. If a buyer's question is whether we can make their site work with their identity provider, the answer is yes, proven five ways.
If your website or portal needs to plug into Okta or another identity provider, that is exactly the integration work we do. Talk about your integration.
Need Similar Solutions?
If you're facing similar challenges or want to explore how I can help with your project, let's talk.
Related Client Work:
- 5mo
Sonos: Customer Portal SSO IntegrationA custom Okta SAML SSO plugin for Craft CMS powering Sonos's B2C customer portal, with automatic account provisioning at consumer scale. - 1mo
IDEO: Global Design Consultancy SSO IntegrationA custom Okta SAML SSO plugin for Craft CMS, giving IDEO's globally distributed design team unified access with automatic provisioning on first login. - 4mo
Pratt Institute: Higher Education SSO IntegrationA custom SAML SSO plugin for Craft CMS handling students, faculty, and staff as distinct roles, with automatic provisioning across the user lifecycle for Pratt Institute. - 2mo
Columbia Bank: Financial Sector SSO IntegrationA custom SAML SSO plugin for Craft CMS built to banking security standards, with configurable session security and audit-ready logging for Columbia Bank employees. - 6mo
SteadyVision: Expression Engine SSO IntegrationA SAML SSO module built from the ground up for Expression Engine, a legacy CMS with no existing enterprise authentication options.