Okta Platform Services supports Xero’s ongoing growth and a "beautiful" Zero Trust strategy
of onboarding and offboarding processes automated
in hosting fees by retiring Microsoft ADFS and DirSync
support tickets avoided in 1 week, after building 1 Okta Workflow in less than 4 hours
See More from Xero :Oktane17 Presentation Oktane21
- Beautiful business software
- Simplified employee access
- Elegant identity management
- Taking automation even further
- Counting down to Zero Trust + 100% cloud
Global small business platform, Xero, builds cloud accounting software that’s secure, easy to use, and (as their tagline proclaims) “beautiful.” As the company prepared for intense growth, Xero’s IT team looked for an identity management solution with those same traits.
The team implemented Okta Single Sign-On to simplify access to the large number of cloud applications that Xero employees demand. Okta Adaptive Multi-Factor Authentication with Okta Verify added simple, contextualized access that aligned with the company’s Zero Trust security goals.
To automate user provisioning, Xero IT shifted profile sourcing away from Microsoft Active Directory. Now, Xero’s People Experience team enters that data into Workday, where it flows into Okta Universal Directory, which pushes it out to applications automatically, with the correct configurations.
After the introduction of Okta Platform Services and its Workflows technology, the Xero team is automating complex identity-centric processes without code to achieve quick productivity wins, reduce technical debt, and improve security.
As Xero continues its longtime partnership with Okta Customer Support, its journey to 100% cloud is in the final-countdown stages. The team is currently testing Okta FastPass, to bring devices into the Zero Trust fold while offering passwordless login.
Xero nails identity early on
As Xero prepared for intense growth early in its development, IT looked for an identity management partner that could help secure its application infrastructure and enable automation. Okta provided the answer, simplifying employee access to applications and creating secure, elegant, and automated lifecycle management processes. Today, with the introduction of Okta Platform Services, Xero is taking automation to the next level—increasing productivity, reducing technical debt, and making good on its Zero Trust security strategy.
Okta is the center of our application catalog and everything else we do. When Okta Workflows became available, it was obvious we’d go down that track.
Dan Bowden, Internal IT Solutions Architect, Xero
- 3,000+ employees using Okta Single Sign-On to access all their applications
- 200+ applications integrated into Okta
- Significant savings in hosting fees by retiring Microsoft ADFS and DirSync
- Time to deploy new apps reduced from days to less than two hours
- Fully automated provisioning of 90% of Day One applications
- 95% of manual HR-to-IT onboarding and offboarding tasks eliminated
- Tight integration with Active Directory
- User-friendly, context-driven multi-factor authentication
- Ability to quickly automate complex business processes without code, improving productivity, reducing technical debt, and improving security
- 40 IT staff members who can focus on enabling the business
Beautiful business software
Xero is a global small business platform, built in the cloud. The company’s tagline, “Beautiful business,” speaks to the pride they take in providing a product that is easy, even enjoyable, to use.
It’s a standard that the internal IT team holds to, as well. Clunky, manual IT processes are contrary to the Xero way. The team takes pride in partnering with the wider business to provide innovative, responsive tools that help Xero employees take pleasure in their work.
Of course, the team is also charged with making sure IT security remains rock-solid. Meeting both those challenges involves establishing unified identity management, which forms the basis for a Zero Trust security strategy.
Not-so-beautiful application provisioning
While Xero has always preferred cloud-based apps, early in its development the IT team used Microsoft Active Directory (AD) as a source of truth for employee profiles.
Dan Bowden, internal IT solutions architect at Xero, remembers some provisioning guesswork back in those days. “We set up new users by adding them to Active Directory,” he says. “We’d find an existing user who might have a similar job title, then use that to guess what groups we should put the new user in, and try to give them the right access to the right applications.”
The company’s innovative, cloud-focused workforce was constantly on the lookout for new applications, so the number of cloud apps grew quickly. To scale as an organization, the small IT team quickly realized they had to improve their application provisioning process.
In their search for the perfect identity management platform, the team focused on security and ease of use, certainly—but they also, quite literally, wanted something beautiful. Seamless Microsoft Active Directory integration would be a must.
Early adopters of elegant identity management
After a brief assessment of the market, the Okta choice became clear. “We were early adopters. There weren’t too many products like Okta at the time,” says Bowden.
The team implemented Okta Single Sign-On in 2013, and the rest is history—Xero employees have started their days by logging into Okta ever since. Today, the company has more than 200 applications integrated with Okta. Where before it took IT days to deploy a new app, they can do it now in less than two hours and sometimes in as little as 30 minutes.
Having a single place where people could see what was available and be able to access it all without remembering separate passwords was a significant improvement. It also saved Xero a significant amount in annual hosting fees, because they were able to retire Microsoft Active Directory Federation Services and DirSync right away.
The Xero team also implemented Adaptive Multi-Factor Authentication (aMFA), which added contextualized employee access in line with the company’s Zero Trust security goals, while keeping access beautiful and simple. Today with Okta Verify, they get a prompt on their phone, tap, and approve. When people are in a Xero office, they get fewer multi-factor prompts than if they’re off-site or logging in from a new system.
The path to automated lifecycle management
When they first implemented Okta, Xero IT set up AD as their source for employee profile information, adding and updating data manually. Okta’s tight integration with AD meant that, as they adopted more cloud applications and moved away from on-prem, AD-reliant ones, they could shift profile sourcing away from AD, as well.
As a high growth company, automation is one of IT’s key priorities. The team started using Workday as a source instead of AD, storing information within Okta Universal Directory and using Okta Lifecycle Management to automate onboarding and offboarding processes.
“Now that we provision from Workday into Okta, user creation is automatic,” says Bowden. As People Experience staff enter employee information into Workday, the data flows into Universal Directory, which pushes it out to 24 common applications, including Slack, Google Apps, Office 365, and Salesforce. Placing employees into Workday’s location and distribution groups triggers automatic provisioning to the apps they need, with the correct configurations.
“Okta updates all our user information in the apps for us,” says Bowden. “It stops us logging into 15 different systems to make changes. We just make the update once and it pushes through to all these different applications.”
Taking automation even further
Okta’s out-of-the-box automated lifecycle management features made a huge difference for Xero, eliminating 95% of onboarding and offboarding processes. The Xero team wasn’t content with that 95% score, however. To achieve their Zero Trust goals in a scalable way, they knew they needed to minimize the risks that come with manual processes.
In 2020, Okta announced its Platform Services offering, which lays bare the foundational, service-oriented technologies at the heart of the Okta Identity Cloud so that customers can use them to innovate rapidly using Okta products, APIs, and SDKs.
Sriram Sundaresan, Okta Customer Success manager, knew that Okta Workflows, one of the first platform services to become available, had been developed for customers like Xero. With Workflows, IT gains the power to automate complex identity-centric processes without code, using APIs to create bespoke business processes connecting Okta product features and third-party applications and systems.
“Automation is key for tech companies like Xero,” says Sundaresan. “Prior to Workflows, Xero was pretty good at lifecycle management, but Workflows is a game changer.”
Bowden agrees. “Our leaver process still has many manual steps in it, and that’s where we started to implement Workflows,” he says. “Workflows lets us tackle manual processes one by one.”
Quick productivity wins
Today, Bowden is going through all those lifecycle management processes, identifying quick wins, and quickly improving productivity for both the IT team and their employee customers. Anything that involves looking through a spreadsheet or logging into a system to complete onboarding or offboarding steps—things like moving Google Calendar ownership to a manager—can now be automated using Workflows.
Workflows allows Okta customers to quickly customize Okta features and processes to match individual requirements and exceptions. For example, the Xero team is using Workflows to bypass Okta’s built-in approval requirement for their Asana provisioning.
“We have an enterprise license with Asana, so there’s no added cost to us when we provision a new user, and our support team doesn’t add any value,” says Bowden. By setting up a self-service process that allows users to provision the application themselves, the team removed an obstacle to employee productivity and avoided about 450 support tickets in the first week that Asana was made available to staff via Self Service.
“The time we spent setting up the workflow paid for itself in about three days,” he says.
Reducing technical debt. Improving security.
Workflows also gives the Xero team ways to reduce technical debt and the company’s on-prem footprint while improving security. Even though Bowden has people with strong scripting capabilities on his team, they quickly saw the advantages of using Workflows to automate processes, rather than accumulating a list of custom PowerShell scripts and keeping them updated on a server.
“We considered just scripting all this stuff, but then we thought about the team that would have to manage those scripts, and the support team and everyone else who will come across them,” he says.
“You can look at a workflow and get your head around the whole process much more quickly than you can with a script,” he says. “It’s a much easier learning curve for the people who might need to touch them or get up to speed when they take over a new role.”
Workflows is also more secure. Scripting up an automated process with custom code often entails embedding a key, token, or password used to call a third-party API. Often, that token is stored in a file on the company server, without too much attention to securing it effectively. Because Workflows runs on the Okta platform rather than on an on-prem computer or server, API tokens are automatically secured and updated.
With Workflows, the Xero team can connect existing cloud services in dynamic, customizable ways, without adding software or on-prem infrastructure. As Bowden and his team continue to work toward reducing the company’s need for AD and moving everything to the cloud, Workflows will continue to play a big role.
Workflows is also helping the team make Xero business processes more beautiful. In one example of a PowerShell script gone wrong, Bowden talks about what used to happen at Xero when a user became inactive.
“There were three or four servers involved, and hardly anyone understood what the script was doing,” he says—which wasn’t great, considering that its purpose was to disable users. After Xero started sourcing profiles in Workday, the script became completely outdated, sending impersonal SMTP notifications to IT that they would have to flag or pass on to HR or a manager.
Using Workflows, Bowden removed all the servers from the process and made Okta the source of the initiating information, rather than AD—immediately improving accuracy. Today, when someone takes a leave of absence or stops logging in for whatever reason, a clear, straight-forward notification gets sent via Slack or non-SMTP email. It goes directly to the manager in question, rather than being routed through IT.
“Essentially, we’ve made the process much less reliant on on-prem infrastructure, we’ve made the messaging much nicer for the end user, and we’ve eliminated our support team’s involvement,” he says. “Every way we look at this, we’ve just improved the process 100 times.”
Winding down to 100% cloud
Decommissioning AD is a major focus for the Xero team, especially during the Covid-19 pandemic when so many employees are working remotely.
The team’s partnership with Okta made the transition to remote work significantly easier and more secure, says Bowden. Because they had already moved most on-prem solutions to the cloud, few people needed to log in through the company VPN. Even as a member of the IT architecture team, he says, “there are plenty of days that I don’t need to connect to the VPN at all.”
Xero’s journey to 100% cloud is in the final-countdown stage. “We just eliminated our Google sync server,” says Bowden. “Now, we manage our Google tenant directly from Okta.” They plan to migrate Xero’s on-prem Confluence and Jira applications to the cloud within the next few months.
The team is also looking at securing their on-prem wi-fi network with an Okta RADIUS solution, and is considering ways to bypass AD-reliant print servers. PrinterLogic, a member of the Okta Integration Network, is a definite contender.
“When we’re thinking about a new app, we go through a range of different questions. One of the very first things we ask is, is it SAML-enabled, and is it in Okta?” says Bowden. “We do a quick search in Okta and if the app’s already in there and verified by Okta, then that ticks all the first boxes for us. If it’s not in there and it doesn’t support SAML, it’s basically a no.”
Enfolding devices into Zero Trust
For Bowden, everything—centralizing IAM on Okta, implementing adaptive MFA, moving to the cloud, automating processes—plays a role in establishing a Zero Trust security vision for Xero. The next stage of that journey involves bringing devices into the identity fold, so access decisions can be made within the full context of each login—with awareness not just of user and application, but also of network, device status, and location.
When Okta Platform Services launched the Okta Devices beta recently, Sundaresan signed Xero up for its Okta FastPass feature, which makes granular, context-based access decisions possible, while offering passwordless login from any device or location to any Okta-managed app.
“We’re very excited about that one,” says Bowden. “FastPass could vastly improve the user experience, while improving security.”
Partners on similar growth paths
After working with Okta over much of his seven-year career with Xero, Bowden thinks of Sundaresan and the Customer Support team almost as an extension of Xero IT. “We have members of the Okta team on our Slack, so we can just chat to them like they’re a Xero employee,” he says. “It’s very open, useful, and helpful.”
The respect goes both ways, and Sundaresan points out parallels between the two companies that have helped strengthen the relationship over the years. “We’ve been on similar growth paths, and we both take an agile, lean approach meant to dominate and disrupt our industries,” he says. “Xero is doing it in the small business platform way and Okta is doing it in the identity way.”
The Xero team has provided valuable feedback to Okta over the years, constantly pointing the way to new features. They’ve been a strong advocate for Okta — and of course, the Xero app offers easy Okta integration for businesses looking for a beautiful small business platform.
Today, the 40-member Xero IT organization supports their entire workforce, which in turn allows the company to provide beautiful business to over two million subscribers around the globe. Okta helps the team stay focused on serving its customers, in the midst of continued growth.
“We really respect Okta as a company,” says Bowden. “If Okta’s doing it, we figure we should probably be doing it, too.”