Replacing Legacy SSO with Okta at a $5B Singapore Fintech

The Brief

The client — a Series D Singapore-headquartered fintech — had grown from 80 to 1,400 employees across 6 markets in three years. Their identity infrastructure had not kept pace.

By 2024, the situation looked like this:

• 4 separate identity stores: legacy on-prem AD, a cloud AD instance, a homegrown user database in their core platform, and ad-hoc IAM in 12 individual SaaS tools
• 47 production applications with no unified SSO
• Manual onboarding taking 3–5 business days per new hire
• MAS TRM audit finding: "Identity provisioning lacks central oversight and segregation of duties"

The CISO's team had selected Okta as the target platform. They needed an architect to lead the design and a hands-on consultant for the high-risk integrations — particularly the core trading platform and the legacy mainframe-fronted treasury system.

The Architecture

The solution placed Okta as the single identity authority, with Cloudflare Access enforcing per-app conditional policies at the edge. AD-sync kept the on-prem directory authoritative for HR-driven attributes; Okta became authoritative for app entitlements.

Click any node in the diagram below to see what it does in this architecture.

Approach

Phase 1 — Discovery & Mapping (6 weeks) We started with a full IAM inventory: every authentication path, every account, every privileged credential. The output was a heat-map of risk by application — what we called the "auth debt" picture. This was the basis for prioritising the rollout.

Phase 2 — Foundation (8 weeks) We deployed Okta with HRIS-driven provisioning (Workday → Okta), SCIM connectors to the top 12 SaaS apps, and AD-sync for the on-prem identity store. Microsoft 365, Slack, GitHub, AWS Identity Center, and Salesforce were the first wave — high-value, well-supported, low-risk integrations.

Phase 3 — Edge enforcement (4 weeks) Cloudflare Access was placed in front of all internal-facing web apps, with policies driven by Okta groups. Device-trust signals from CrowdStrike were added to the conditional access logic.

Phase 4 — Long-tail apps (6 weeks) The remaining 35 applications were tackled by category: 18 via SAML, 9 via OIDC, 6 via header-based authentication through Cloudflare Access, and 2 high-risk apps (the core trading and the legacy treasury system) via custom integrations with security review.

Phase 5 — Decommission & audit (4 weeks) The 4 legacy auth systems were decommissioned in a staged shutdown. The MAS TRM auditor was re-engaged for a follow-up review and confirmed the findings were closed.

Outcome

The headline metric — a 73% drop in authentication-related support tickets — was the easiest to communicate to leadership. But the bigger wins were structural:

• A single audit-able log of every authentication event across the entire app estate
• Automated joiner/mover/leaver flows reduced time-to-productive from 3–5 days to under 4 hours
• The ability to enforce conditional access policies (device trust, geo, risk-score) consistently
• A clean foundation for adding privileged access management (BeyondTrust) in the next phase

What I'd Do Differently

The conditional-access policy work in Phase 3 was harder than scoped. We had assumed device-trust integration with CrowdStrike would be straightforward — it wasn't. The Okta-CrowdStrike connector at the time required custom token-passing logic that took two weeks longer than planned.

Future engagements: I now scope a dedicated week for any device-trust integration that involves more than two vendors, and require a working prototype before committing to a rollout date.