Advent elects to build social community capabilities into Advent Direct™ Community, its first cloud-based client and partner portal.
Advent confronts the business challenge of enabling single sign-on and user management across cloud solutions, legacy on-prem software, and third-party components, as they build out a new cloud product and community.
Buy v. Build
To stay focused on core product value, they search for an extensible identity platform to integrate into the portal.
Advent selects Okta for its scalability, reliability, and security.
They use Okta APIs to build SSO, provisioning, password administration, and policy management into the Advent Direct™ product—with a fully Advent-branded experience.
In just four months, they open the Advent Direct™ Community to 4,500 clients and thousands of their users.
Following the successful first year, Advent adds MFA capability to strengthen security.
Our customers expect security right out of the gate, and Okta was able to provide that.Ken Schaff, Director of Global Solutions Development, Advent
Opening a Portal
For many years, Advent maintained an on-prem web product where clients could access valuable insights and data. But the company needed to deepen social engagement. They understood that their clients were far more successful when they were able to work together, share ideas and suggestions with each other, and earn recognition for their contributions. In 2012, Advent launched a cloud-based collaboration application called Advent Direct™. It shifted the informative functionality of the legacy product to the cloud and added a new element: a cloud-based social community.
Building and maintaining the new product fell under the purview of Ken Schaff, Director of Global Solutions Development, and his team. They faced several significant challenges.
Some of those challenges were a result of the composite nature of the system. For instance, Advent Direct™ stitched together several different applications, each of which required unique user accounts and credentials. Schaff and his team needed to be able to provision these user accounts securely and efficiently.
Further complicating the situation was the fact that each user would be tied to a specific client, and each client could have different levels of entitlement. This translated to differential access policies in composite applications.
If we were talking about just a few users, all of this might seem manageable. But Advent had 4,500 clients—all with user bases dozens or hundreds deep.
Beyond the initial provisioning, user experience posed another set of interesting challenges. Solid UX has always been a core value for Advent, so the portal needed to work well for the people who would use it.
Take the login flow, for example. Users should be able to log in once and gain access to everything they need with a single username, password, and session. But that’s easier said than done. Once the user authenticates in, the system would need to maintain sessions across applications to keep the experience smooth while the user navigates through the community’s various modules.
To make that happen, “Advent needed to be able to manage user accounts and access levels across multiple underlying systems: SaaS/cloud-based systems, on-premise vendor-provided applications, and homegrown .NET Web applications,” Schaff says.
The requirements didn’t end there. Advent needed to support the entire password-management workflow, from initial registration through forgotten-password administration and reset, to deprovisioning. And they needed it all in an Advent-branded package.
Moreover, given that Advent’s clients are in the financial services industry, security was paramount. Many clients needed to be able to enforce their own policies, such as multi-factor authentication, firm-specific password policies, and federation requirements.
Identity Platform: Build or Buy?
Advent deliberated between two options to address these challenges. As a software company, Advent could build the identity layer themselves. Or they could partner with a leading identity provider and build on top of an extensible platform. “Our core competency is in portfolio accounting. We wanted to make sure our engineers were focusing more on that and, where possible, leverage existing technology,” said Justin Warner, VP of Engineering at Advent. So they began looking for a platform partner.
As Schaff and his team evaluated Okta, they focused on a few key needs. First and foremost, they wanted a cloud-based solution. Given that Advent Direct™ itself included cloud-based products, they wanted to be able to take advantage of the scalability and reliability of an on-demand service. Okta’s platform is 100% cloud-native. It provides a cloud-based directory alongside many of the identity features that Advent was looking for to support authentication, single sign-on, and provisioning. The platform also needed to be extremely flexible. Advent was looking to build its entire onboarding flow, single sign-on experience, and password lifecycle management capability on their partner’s REST APIs.
Okta met all of Advent’s technical requirements and more.
“The Okta platform provides Advent with a complete identity management platform that enables us to quickly provide secure access for our clients to our cloud applications.” — Ken Schaff, Director of Global Solutions Development, Advent Software
Advent Direct™ Runs on Okta
Advent embedded the Okta platform into their infrastructure, so the user experience is entirely consistent with Advent’s own interfaces. Users are seamlessly connected to both cloud and on-prem web applications, vendor-supplied systems and homegrown applications, within the Advent Direct™ Community and beyond. “With the Okta APIs,” Schaff continues, “we have control over all of the Okta capabilities that we needed to automate the entire identity lifecycle.”
Extensible Identity Management
Using the Okta Platform’s advanced APIs, Advent built an integrated and automated identity management service. “With Okta, our users are able to seamlessly sign in once and access any part of the Advent Direct™ Community,” Schaff continues, “regardless of whether they are accessing the site through a bookmark, a link in an email, from our products, or from the login page directly.” On the administrative side, Advent can rapidly onboard new firms and users, manage firm and user entitlements, provide single-sign-on services, and manage passwords and policies. They’ve taken the additional step of building an administration console for managing users and firms inside the Advent product. As Schaff notes, “To gain operational efficiencies, we needed to give our client administrators full self-service control over maintaining their own users.”
Doubling Down on Security
The flexibility of the Okta platform allows Advent to tackle its sophisticated security requirements. The Okta password-management API lets Advent control each user’s password lifecycle within one interface. Moreover, Okta offers an architecture that allows Advent to provide firm-specific and individual password policies with various degrees of password strength and password history settings.
Okta’s password lifecycle service prompts users with a secondary challenge question during password reset and forgotten-password flow for added security. The login infrastructure provides Advent with the ability to validate credentials. Okta also handles deep links from the underlying applications to ensure end users land in the right place on login.
Control over User Experience and Branding
When Advent launched the updated Advent Direct™ Community, they were also in the process of updating their client-facing branding. Okta’s APIs allow Schaff and his team at Advent to create their own user interface outside of the Okta platform, and to show off a consistent brand to clients. “We were able to successfully obfuscate the entire Okta UI from our clients and make it an Advent experience.”
Results, ROI, and What's Coming Next
With assistance from Okta Professional Services and close collaboration with the Okta Product team, Advent launched the first iteration of the identity management system powering the Advent Direct™ Community in roughly four months. That’s less time than it takes a lot of companies to set their annual budget.
During this initial deployment, Okta released several new Platform features that were necessary capabilities for Advent’s implementation. “Okta was able to deliver on their roadmap, which allows us to plan our development cycles on top of their API and meet our delivery schedule.” Schaff says. Advent’s development lifecycle makes heavy use of Okta’s Preview environments, which allows the Advent development team early access to new platform features. Advent is continuing to build on top of the Okta platform, providing new features to their clients and also expanding the reach into additional applications.
As the Advent Direct™ Community continues to evolve, it’s crucial that the Okta platform keeps up with any new identity requirements. “It was important for us to find a partner that could grow with us,” Schaff says. “For example, we are in the process of implementing multi-factor Authentication capabilities for our clients, and the Okta development team has been a great partner in providing us with new platform capabilities and APIs that will allow us to be successful.”
Advent Software, Inc., a global firm, has provided trusted solutions to the world’s financial professionals since 1983. Advent’s proven solutions can increase operational efficiency, reduce risk, and eliminate the boundaries between systems, information, and people so you can focus on what you do best. With more than 4,500 client firms in over 60 countries, Advent has established itself as a leading provider of mission-critical solutions to meet the demands of investment management operations around the world. Advent is the only financial services software company to be awarded the Service Capability and Performance certification for being a world-class support and services organization.