Avery Dennison Secures and Simplifies the User Experience with Okta Access Gateway
apps integrated with Okta
Single Sign-On usernames updated in under two hours
users accessing Avery Dennison’s IT environment through Okta
See More from Avery Dennison :Oktane21
- Password problems
- An all-in-one solution
- A multi-phase implementation
- Unexpected perks
- Phasing out passwords
Avery Dennison is always looking ahead at ways to keep their users happy—and their identities secure. After a large acquisition introduced new systems, apps, and user accounts, Avery Dennison wanted to go cloud-first while also consolidating its IT stack, streamlining cloud-based user sign-on and authentication processes, and increasing security.
The company explored a number of identity solutions, but ultimately selected Okta because of pre-built integrations that made for a quick, secure rollout without disrupting users. Avery Dennison began streamlining its IT infrastructure by providing secure, Single Sign-On access to G Suite and Kontiki before integrating Universal Directory, and gradually extending Single Sign-On, Multi-Factor Authentication to other cloud-based applications.
A few years later, when the company wanted to integrate a new Oracle instance, it was able to use Okta Access Gateway to provide users with the same simple and secure experience they’d come to expect from Avery Dennison. Now, Avery Dennison’s users are thrilled to be able to access a wide variety of cloud-based and on-prem apps, simply and securely.
Okta Access Gateway also made it possible to avoid the onerous task of normalizing 4700+ user IDs across their environment. Instead, they were able to update the Single Sign-On IDs in just two hours. The company was impressed by the quick implementation and delighted to discover that it could also use Access Gateway to integrate other legacy apps that otherwise would have not been considered for SSO integration.
Now, Avery Dennison is considering a major next step: eliminating passwords altogether with Okta Devices. This product will further secure the company’s environment, by making it easier to keep track of the devices that are accessing its environment--while raising the concept of “seamless user experience” to a whole new level.
The flexibility and the functionality that Access Gateway brought to our overall SSO solution allows us to take another look at applications that we didn’t think we’d be able to adopt.
Niro Cantillo, Senior Manager of Enterprise Security, Avery Dennison
Whether they realize it or not, marketers, custom car enthusiasts, and sticker collectors all owe a debt to Stan Avery and Dorothy Durfee Avery. In the 1930s, when Stan and Dorothy were still engaged, Dorothy lent Stan a hundred dollars. Thanks to that investment, Stan was able to invent and create the world’s first self-adhesive label, and the couple co-founded a company to sell this new product.
Now, after 80 years and multiple acquisitions, that small enterprise has grown into Avery Dennison. a global materials science company specializing in label and graphics materials, retail branding and information solutions, and industrial and healthcare materials. “We make a variety of functional products that are being used on a daily basis, from chrome-colored car wrapping products and bus billboards to apparel labels,” says Niro Cantillo, Avery Dennison’s senior manager of enterprise security.
Putting users first
Like its founders, Avery Dennison likes to address challenges head-on, and its approach to technology reflects that. As the company grew, Avery Dennison’s IT landscape became increasingly complex.
Mergers and acquisitions introduced an influx of new apps and solutions, bringing with them a range of inconsistent and hard-to-remember usernames and passwords. Avery Dennison quickly began exploring ways to streamline the authentication process for employees and customers.
“As long as we have users who need to authenticate into an application of any kind, we need to continue to provide better user experiences,” says Cantillo. “That includes strengthening our security by verifying their identities. Our digital strategy continues to grow, and it’s very closely tied to identity and access management solutions.”
Avery Dennison began researching vendors, including Okta, Ping Identity, Proofpoint, and Duo. Okta Single Sign-On (SSO), however, came with a wide array of pre-built integrations, which helped Avery Dennison simplify the sign-on process for its largest apps—G Suite and Kontiki i.
Next, the company expanded Okta to more cloud apps, and adopted Okta Multi-Factor Authentication (MFA), protecting their environment with an additional, low-friction layer of security. By the end of 2015, 18,500 users were enjoying streamlined, secure access to 27 integrated apps.
But Avery Dennison continued looking for new opportunities to leverage Okta products for a better user experience. “The company introduced new applications with additional attributes that weren’t supported through the basic Single Sign-On,” says Cantillo. “So we looked at Universal Directory, and that helped us bring the additional set of attributes from Active Directory into our Okta environment.”
Later, the company increased its security posture by adopting the more granular Adaptive Multi-Factor Authentication. It also used API Access Management to provide token validation and exchange for their business-to-business endpoints like label scanners and printers.
Jumping in with both feet
By the end of 2019, Avery Dennison had successfully positioned itself as a cloud-first company by integrating a total of 117 applications with Okta, increasing employee efficiency, improving its security posture, and increasing its scalability. But there were still a number of applications that hadn’t been integrated because they weren’t designed to support SSO, like Oracle EBS.
Avery Dennison had already set up one EBS instance with SSO by integrating Okta with Oracle Access Management (OAM). “It worked great,” says Cantillo. “It was robust and flexible enough to do what we needed at the time. But later, we had other elements to consider. One was speed-to-impact—how quickly could we release, implement, and leverage Single Sign-On? We could have taken several months to do everything we wanted, but we needed to be expedient.”
To achieve this goal, Avery Dennison needed to figure out how to standardize the usernames for ~4,700 users as quickly as possible. “However, this new instance wasn’t going to be that simple, because it was a legacy instance of Oracle, one that grew over many years, and the IDs were significantly more varied,” says Cantillo. “Some users had employee IDs, some had first names and last names, or first initial and last names. Some even had email addresses.”
Avery Dennison needed to consider how the change would impact users as well.. Cantillo wanted to ensure the IT team would be able to resolve helpdesk tickets quickly and effectively, and avoid adding another identity solution to its IT stack.
A simple and effective solution
Okta and Oracle Access Management offered a lot of the same features—like single sign-on and multi-factor authentication, but the company already required all new cloud-based applications to integrate with Okta in order to ensure a seamless, secure user experience, and it didn’t want to add a new component to its IT stack.
“With Oracle Access Management, the architecture required a few more components,” says Cantillo. “There’s E-Business Suite (EBS) and EBS AccessGate. There’s WebGate and Oracle Access Manager. There’s the Oracle Internet Directory. But simplicity was crucial, and Okta Access Gateway just has the two virtual appliances that we use in a high-availability kind of implementation.”
Cantillo and his team also realized that Okta Access Gateway would allow the company to integrate more apps using SAML or OpenID Connect, reducing the number of steps involved in implementation, and further simplifying the user experience.
“Okta’s list of services and functionality is like a Swiss army knife,” says Cantillo. “So we did some soul searching around whether we could avoid duplication by simply extending Okta’s functionality.”
During the proof-of-concept, Cantillo’s team discovered that Okta would provide a simple way to normalize Single Sign-On IDs, which created enough flexibility for Avery Dennison to offer its users a choice of username, without compromising the data flow.
If Avery Dennison had gone with Oracle Access Management, it would have taken Cantillo and his team an estimated six months or so to change most user IDs to the employee ID format they preferred. With Access Gateway, the company proved it could continue to use the existing Oracle user ID’s without impacting functionality or the project’s timeline at all.
“We felt Access Gateway would be simplest to implement,” says Cantillo. “So we moved forward with it. Architecturally, Okta Access Gateway has just the two virtual appliances that we use in a high-availability kind of implementation. Simplicity was crucial and that's exactly what we got.”
To assist with the implementation, Avery Dennison also purchased a Premier Plus Success package from Okta, which included a designated Customer Success Manager (CSM), who would guide the company through the process.
Implementation made easy
Once Avery Dennison decided to move ahead with the project, the CSM provided Cantillo with a course of action and a set of clear, easy-to-follow implementation instructions. The company’s service and support teams worked together to build two virtual machines, load the new components, and start the configuration.
Within a week, Cantillo and his team had everything they needed to start the project. As the proof-of-concept demonstrated, they didn’t have to standardize the existing Oracle user ID’s —instead, they were able to continue to work with the existing Oracle IDs by making updates directly in Okta. In less than two hours, Cantillo’s team had updated more than 4,700 usernames, and just five hours after that, Access Gateway was up and running.
“With Access Gateway, implementing and configuring a new application—including setting up the SSO and troubleshooting any end-user challenges—is a lot simpler,” says Cantillo. “If there’s an issue, there's either a typo in Active Directory that we need to correct, or there’s a typo in Okta. And since Active Directory feeds to Okta, we just need to fix the Active Directory, let it replicate, and move on.”
Avery Dennison also added 27 new applications to its IT stack during the implementation process. “We have also taken advantage of the ability to integrate with other identity providers,” says Cantillo. “So the authentication is not solely resting in the Okta solution. We can actually pass the authentication to other providers like Mobile Iron, Workspace ONE, or Microsoft.”
When Cantillo reflects on the success of the implementation, it all comes back to user experience. “It’s important to make the experience easier, more flexible, and more secure for our users,” he says. “Without a doubt, implementing Okta has made all of this possible for us. The flexibility and the functionality that Access Gateway brought to our overall SSO solution allows us to take another look at applications that we didn’t think we’d be able to adopt.”
In addition to a more seamless, secure user experience and increased flexibility, Cantillo says there have been unexpected benefits as well. “I’m grateful for the team that’s supported us all along,” says Cantillo. “Every time we have a conversation with the Okta team, they always make things sound so simple. But the proof is in the pudding. One of the greatest surprises is that it truly was that easy. A couple of hours and we were up and running.”
Enter Okta Device Trust
True to form, Avery Dennison continues to explore new ways to further strengthen its security while maintaining a seamless authentication process for users.
“At this point in time, we’re conducting a proof-of-concept for Okta Device Trust,” says Cantillo, referring to a new Okta service that provides a passwordless experience for users and allows organizations to keep track of the devices that are accessing their environment. “We’re having conversations about implementing the kind of intelligent, adaptive access we want Avery Dennison to be able to provide, which companies refer to as a Zero Trust solution.”
Cantillo says it’s ideal if user authentication is completely frictionless because then users are more likely to adopt the new solutions—and Okta Device Trust is another step towards that goal.
“Access Gateway has brought new functionalities we can use for some of our internal legacy systems that we thought we were not going to be able to integrate with Okta ,” says Cantillo. “It’s also given us the ability to look into Okta’s Device Trust capabilities. All of this is available in one solution.”
About Avery Dennison
Avery Dennison (NYSE: AVY) is a global materials science company specializing in the design and manufacture of a wide variety of labeling and functional materials.
The company’s products, which are used in nearly every major industry, include pressure-sensitive materials for labels and graphic applications; tapes and other bonding solutions for industrial, medical, and retail applications; tags, labels and embellishments for apparel; and radio frequency identification (RFID) solutions serving retail apparel and other markets. Headquartered in Glendale, California, the company employs more than 32,000 employees in more than 50 countries.