Article contributed by Eric Olden, CEO, Strata Identity
For enterprise identity and access management (IAM) teams, mergers and acquisitions (M&A) present a familiar challenge: quickly providing new employees access to applications and data across multiple organizations without dismantling existing identity systems.
But there’s no easy answer.
Ripping and replacing identity providers (IDPs) requires rewriting hundreds, sometimes thousands of applications. Which can take years and cost millions in consulting fees, custom development, and business disruptions along the way. A better path is to unify authentication at runtime, enabling single sign-on (SSO) across distributed, incompatible identity systems. Unified SSO isn’t new, but technological advances allow multiple IDPs, legacy systems, and cloud platforms to coexist.
Open Identity Standards are Paving the Way
Unified SSO relies on identity federation standards like SAML, OAuth, and OpenID Connect (OIDC), which allow identity systems to exchange authentication context across applications and organizations.
In hybrid enterprises, it’s common to see Microsoft Entra ID, Okta, Ping, and legacy systems like Active Directory or SiteMinder supporting different parts of the business. While federation standards help bridge some gaps, they weren’t designed for environments where users must seamlessly traverse apps protected by incompatible IDPs — without switching logins or reauthenticating. That’s where identity orchestration comes in.
Bridging Identity Gaps
Enterprises acquiring or merging with other companies rarely inherit a clean slate. Each entity brings its own identity stack, customized over the years to meet its own security, compliance, and operational requirements. Even within a single enterprise, different lines of business or geographies may rely on their IDPs, authentication flows, and access controls.
This fragmentation results in:
● Siloed authentication forces users to manage multiple credentials and logins for different applications.
● Operational overhead from maintaining duplicate integrations, policies, and identity governance across multiple systems.
● Inconsistent security controls, especially for older apps that don’t support modern protocols like OIDC.
● Poor user experience as employees, partners, and customers juggle multiple login prompts to move between apps.
These challenges also affect enterprises with subsidiaries, joint ventures, or technology partnerships. The core issue is the same: how to let users log in only once using their familiar IDP and seamlessly access resources protected by incompatible IDPs without rewriting apps or forcing disruptive (and resource-consuming) migrations.
Coexistence Versus Modernization
Unified SSO addresses this challenge by allowing enterprises to federate authentication at runtime across different IDPs — even when those IDPs use different protocols or are tied to legacy systems.
Unlike traditional SSO, which typically consolidates authentication under a single IDP, Unified SSO embraces coexistence. Users can authenticate with the IDP they already know — whether that’s their corporate Microsoft Entra ID, an Okta tenant, or even a legacy on-premises directory — and then gain access to applications across multiple domains, partners, and subsidiaries, even if those applications rely on different IDPs.
An identity orchestration layer acts as a broker, dynamically translating authentication flows (SAML, OAuth, OIDC) and enforcing consistent policies — regardless of which IDP protects the app. The ability to perform these functions at runtime eliminates the need to rewrite existing apps or replace IDPs to participate in a Unified SSO model.
Real-World Use Case
Consider a newly acquired subsidiary whose employees rely on Okta for authentication. The acquiring company uses Microsoft Entra ID, a collection of modern and legacy applications protected by different IDPs. Under normal circumstances, it could take weeks or months to onboard those new employees into the parent company’s systems, requiring:
● Provisioning new Entra ID accounts.
● Configuring duplicate access rights across both identity systems.
● Retrofitting legacy apps that can’t support federation with Okta.
With Unified SSO, employees at the acquired subsidiary can log in with Okta on day one and access applications protected by Entra ID without needing new credentials or manual account provisioning. The orchestration layer dynamically orchestrates authentication between Okta and Entra ID, enforcing consistent policies.
The result: seamless access, improved productivity, and a dramatically reduced onboarding timeline.
The same orchestration model that unifies cloud IDPs can also extend modern authentication to legacy apps, even those that lack native support for OIDC or SAML. Instead of rewriting these apps or forcing them into premature retirement, the orchestration layer can:
● Handle user authentication with a modern IDP.
● Inject necessary session tokens or headers into the app.
● Ensure multifactor authentication (MFA), adaptive access, or other policies apply uniformly — even to apps that predate modern federation.
● Provide resiliency for authentication across multiple IDPs.
This enables gradual modernization while preserving existing investments in legacy systems. Centralizing authentication also simplifies auditability and policy enforcement by giving enterprises a single control plane to monitor logins, enforce MFA, and apply conditional access — reducing the risk of inconsistent policies across systems.
In short, unifying SSO provides a practical way to bridge fragmented identity systems without disruptive migrations. It’s not a replacement for IDP rationalization, but it buys time to enable smoother M&A integrations and reduces operational friction in multi-IDP and multi-cloud environments. Eric Olden is CEO of Strata Identity. He previously founded, scaled, and successfully exited both Securant/ClearTrust (Web Access Management) and Symplified, (the first IDaaS company). Recently Eric served as SVP and GM at Oracle, where he ran the identity and security business worldwide and was responsible for product development, go to market, and partnerships. As a technologist, he was a co-author of the SAML standard, created the first pre-integrated SSO platform, and is the visionary behind the Identity Fabric.
