Larimer County Enhances Digital Services with Okta and Auth0
employees across 28 county departments
citizens securely and effortlessly accessing services through social logins
applications integrated with Okta in less than 3 weeks
- A disparate IT environment
- Enabling employees at home and in the office
- Secure and efficient access for citizens
- A seamless transition amid the pandemic
- A customized digital experience
Like many government organizations, Larimer County, Colorado’s IT infrastructure was built up over time. This resulted in a disparate infrastructure that relied too heavily on Active Directory Federation Services (AD FS) and didn’t provide sufficient support for the county’s cloud-based apps. These challenges created a hefty IT workload and required frequent reboot services, making it difficult to serve residents efficiently and securely.
Larimer County adopted a number of Okta’s Workforce Identity Products, which enabled employees to access all of their cloud-based apps through a single digital front door. By consolidating its infrastructure with Okta, the county was able to add an extra layer of security and automate provisioning, ensuring that employees can always securely access the tools they need to do their jobs.
Larimer County wanted to be able to extend industry-leading identity capabilities to its citizens. By taking advantage of Auth0’s flexible customer identity solution, the county was able to accomplish this, while also securing on-premise components and custom applications. Auth0 provided citizens with seamless access to county services via their social media logins while also centralizing authentication.
When the COVID-19 pandemic hit, Larimer County was already prepared to meet the challenges with a secure and stable IT infrastructure. Thanks to its earlier IT consolidation and security efforts, employees were able to seamlessly and securely shift to working from home without losing access to important tools. At the same time, citizens retained easy access to critical county services—including urgent pandemic updates.
In the future, the county will be able to use Okta and Auth0 to provide citizens with a more convenient, customized digital experience. Additionally, Larimer County plans to improve its security posture by gaining more control off-network server access and leveraging new Multi-Factor Authentication features.
Digital modernization that puts people first
When Larimer County, Colorado decided to consolidate its hybrid IT infrastructure, it could never have predicted how valuable this modernization project would become. Watch the video to learn how Okta and Auth0 helped Larimer County increase security and flexibility for employees and citizens, equipping them for success right before the COVID-19 pandemic took hold.
We continue to partner with Okta because it’s bulletproof. It works. And that's ultimately what we're looking for—a vendor that not only does what it’s supposed to do, but actually over-delivers on its promises. Okta did that every step of the way.
Mark Pfaffinger, CIO, Larimer County
Situated in northern Colorado, Larimer County is home to Rocky Mountain National Park, Colorado State University, and 360,000 residents. “It's a great place to live and work and we're really experiencing a lot of growth,” says Mark Pfaffinger, Larimer County’s chief information officer. “Larimer County employs approximately 2,000 people, and we need technology that will grow with our workforce and our county, so we can better serve our citizens.”
When they need to look up property taxes or apply for a motor vehicle license, most residents turn to the county website first. “They’re used to getting information no matter what time of day it is,” says Gregg Turnbull, Larimer County’s director of innovations and insights. “They hit our website from their mobile phone, from their desktop, or by yelling at Alexa. It’s our job to make the experience seamless.”
That’s why identity and access management (IAM) play a central role in the county’s approach to technology. “Identity makes it easier for our internal staff and citizens to connect to the applications they need,” says Pfaffinger.
Tim Wing, Larimer County’s senior systems administrator, agrees. “Our security strategy increases flexibility while allowing us to secure user access to applications, systems, and servers.”
Flexible identity for hybrid IT
Back in 2014, Larimer County had a traditional on-premises IT environment that relied heavily on Active Directory Federated Services (AD FS). “I lost a couple of years of my life trying to get the early SAML integrations working, while making sure the AD FS servers remained stable and functional,” says Pfaffinger. “It didn’t make sense to spend so much time babysitting security services that should be our bread and butter.”
The IT team began looking for an identity solution that would lighten its workload by securing apps and servers across a hybrid environment, enable automated employee provisioning, and streamline employee access to all Larimer County tools and services through a single digital front door using one username and password.
The county explored multiple providers. After the challenges with AD FS, the county needed a solution that would easily integrate with all of its tools, including Google Workspace. Okta’s flexibility, plus its ability to streamline authentication and provisioning across Larimer County’s hybrid environment, tipped the scale.
“Okta was the standout winner for us. We had a lot of pain points and IT was trying to solve them all in-house,” says Pfaffinger. “We needed a partner that could do it better, faster, and cheaper—and Okta checked every one of those boxes. Plus it already had a large portfolio of existing connectors.”
A wrinkle-free rollout
Larimer County partnered with Okta in January 2015. With the help of Okta Customer First, it was able to quickly develop an implementation strategy that would allow it to completely centralize its cloud-based infrastructure by the end of April.
After migrating its internal users over to Okta Universal Directory, the county integrated Okta Single Sign-On (SSO) with all of its major cloud-based apps, including ServiceNow and Google Workspace. It took less than a month for Larimer County to integrate 35 apps.
“We were able to move at a much faster pace because so many vendors work with Okta,” says Pfaffinger. “The Okta integrations were really seamless. We were able to stand up some apps within a day.”
This step also came with significant benefits for Larimer County’s employees. “Now they can seamlessly authenticate by moving from Active Directory to Okta and then to their desired app,” says Wing. “They just click on their application and start working.”
SSO also impacted the number of helpdesk calls Larimer County received from employees. “When people were using our old tools, I got calls about five times a day from people who couldn’t get into their accounts,” says Turnbull. “Now that’s down to about one a month.”
Once Larimer County’s cloud-based infrastructure was centralized, the county rolled out Okta Multi-Factor Authentication (MFA), adding another flexible layer of protection across the county’s cloud-based infrastructure. “Security is one of the most important things we had to focus on,” says Turnbull. “Newspapers will quickly report a loss of trust, whether our residents are impacted by a breach or a website loses permissions to a bad actor.”
Centralization also allows Larimer County to automate provisioning for its entire workforce with Okta Lifecycle Management. This step ensures that new hires and employees moving into new positions never have to wait for access to job-critical apps. The IT team also automated the deprovisioning process, further enhancing security by instantly revoking access when employees leave the workforce.
“Okta’s federated identity model lets us know who can access certain apps and systems,” says Pfaffinger. “It also automatically makes the appropriate applications visible to folks with authorized access. It has simplified our access administration.”
Overall, the entire Okta implementation went incredibly smoothly. “When we were working with Okta's implementation team, it was very easy, straightforward,” says Wing. “They knew what we would need as a new customer, and they guided us through the process in a way that let us learn as we went.”
Enhanced citizen access
Pleased with the results of the Okta implementation, Larimer County wanted to improve the digital experience for its citizens as well. The county planned to move its web portal to the cloud, but first, it needed a way to bridge between the cloud-based website and related on-premises tools (including a business intelligence suite and a finance system).
“We were really benefiting from Okta, but there were some key components missing on the developer side,” says Turnbull. “To keep our on-premises components and custom applications secure, we had to push tokens around quite a bit between systems. That’s where Auth0 stepped in. With Auth0’s developer-friendly CIAM tools, it was extremely easy to get up and running. There was an existing Auth0 module that we were able to download, put in place with very few changes, and turn on.”
Once Larimer County deployed Auth0, citizens could start using the website to apply to boards and commissions, request burn permits, and complete a wide range of other forms and applications. “Auth0 was a really great tool for us to just unleash our developers,” says Turnbull. “We brought our website online really quickly.”
Even the login process was simplified, because citizens could start authenticating using their social media credentials. “Expanding into social networks meant that people didn't have to remember username and passwords,” says Turnbull.
The Okta + Auth0 integration made it easier to spot potential breaches and troubleshoot issues quickly. “When helpdesk calls come in, I can look at the logs and see how the citizen is engaging with the tool, if they’re being validated properly, or if the problem is the tool itself,” says Turnbull. “Those are all things that I have readily available to me now.”
Moment of truth
When the pandemic arrived in early 2020, Larimer County adapted quickly due to its centralized IT infrastructure and existing Zero Trust strategy. “We use the social connector that automatically migrates users into Auth0 without friction,” Turnbull says. That connector ensured that employees could securely access on-prem apps from outside the network, by pushing tokens between Auth0 to Okta.
“With Auth0 and Okta in place, our staff easily transitioned to working at home because they were able to keep their fingertips on the tools they use on a daily basis,” says Turnbull. “We could authenticate our users from anywhere and provide services online. So, whether our employees were sitting in the building or at home, they could get online and do their work.”
The county was also well-positioned to serve customers digitally, at a time when in-person meetings weren’t an option, and when easy access to municipal information was critical. Website access had already been streamlined by social logins, and citizen data was well protected by strong security across the county’s entire IT environment.
“With Multi-Factor Authentication, we can easily verify identities,” says Turnbull. “When our health department sent out stay-at-home orders and mask updates, identity got out of the way. The need to authenticate more than once got out of the way. Auth0 and Okta really enabled our staff to serve our citizens well.”
Bringing two powerful products together
With Okta and Auth0 as a unified company, the Larimer County team sees the immense value of the partnership to drive innovation and address a broader set of digital identity solutions. “Okta and Auth0 coming together PB&J-style is an amazing thing for my developers, our IT staff as a whole, our county, and our residents,” says Turnbull. “We're heavily using these two tools, and with both of them operating under one mission, I'm confident about the future of our identity solution.”
The county is already reaping the benefits. In addition to improving Larimer County’s monitoring capabilities, the increased visibility created by Okta and Auth0 now allows the county to provide employees with customized website experiences--which means they can be more efficient in their day-to-day work.
“We've been able to set up segments of our internal website so that if a sheriff employee logs in, they’re automatically directed to a sheriff intranet,” says Turnbull. “There are little things that we've been able to leverage that would have required a lot more manual, tedious work without Okta and Auth0.”
It’s easier for employees to serve the county’s citizens, too. “The Okta Identity Cloud, with Okta and Auth0, is our central focus now that we have people working remotely, people in the office, and a blend of both,” says Turnbull. “We have people in the field providing COVID tests, and COVID shots. And that means we have people throughout the county who are dependent upon how Okta and Auth0 work together.”
The convenience provided by the Okta Identity Cloud not only supports Larimer County’s security goals by providing users with a simple way to authenticate, encouraging users to follow good security practices. But, Larimer County’s developers are also enjoying the increased flexibility. “We have a really deep toolkit so that when we embed transactional or token-based sharing between systems,” says Pfaffinger. “We can really track users and groups of applications that people need access to, instead of building a full identity management suite.”
A flexible future
Larimer County has consolidated its internal and external identity infrastructure, boosted its security posture, and made it possible for employees and citizens to use the county’s tools from anywhere, on any device. But the county’s identity journey won’t end here.
Soon, Turnbull plans to focus on a more granular approach to user identity. The county’s portal identifies and serves users depending on their needs, whether they’re a property owner, patient, or sheriff. And since somebody could fit all of these roles at once, the next step is to centralize each role and associated permissions into a single identity.
“To do that well, we need a really strong centralized authentication and identity solution,” says Turnbull. “Auth0 and Okta are going to empower us to jump in, build applications, turn a key, and set up those identities.”
Wing’s focus will be on boosting server access security with Advanced Server Access (ASA), which will allow it to control outside access more easily, without having to do a lot of manual legwork. “We won’t have to onboard users or VPN access,” says Wing. “ASA will allow us to secure the environment from the outside in instead of controlling access from inside and worrying about passwords getting compromised. It will give us better peace of mind.”
Each future project with Okta Identity Cloud works to constantly improve the county’s security posture, service abilities, and flexibility. All while ensuring Larimer County’s hybrid infrastructure remains secure and efficient.
“Now, we’ve got an identity provider that can expand out to meet the needs of Larimer County’s internal IT department and all the residents who will be accessing our digital services in the future,” says Pfaffinger.
About Larimer County
Located in north-central Colorado, Larimer County is the seventh largest county in Colorado based on population. The Larimer County government serves all residents and businesses through stewardship of numerous community resources, infrastructure improvement and maintenance, planning services, transparent public records, human and economic health initiatives, and broad community-wide public safety services.
