Sephora’s Okta Journey: From SSO to HR as Source

In late 2019, Sephora began searching for an access management solution after deciding to implement the SAP SuccessFactors human resources management system (HRMS) in the 36 countries where our brand operates. We wanted to centralise and standardise HR data for our 36,000 team members, including data shared between head office staff and those who work in our 2,700 stores and outlets worldwide. Sephora was working with three siloed IT systems, and we needed to unify user identification and authentication at login.

Okta’s implementation and management partner Lyvoc helped us address this issue and we implemented Okta within six months while interfacing it with SuccessFactors. Our initial goal was simply to authenticate users with Single Sign-On and Multi-Factor Authentication (MFA) so they could access SuccessFactors. However, once we realised Okta’s full potential, we decided to take things even further, with advanced access and identity management.

Now, whenever a team member’s profile is created in the HRMS, their IT account is automatically generated in the IS with Universal Directory and Lifecycle Management. Access rights to critical applications are also automatically assigned.

Before Okta, it could take up to two weeks to manually process a manager’s request granting a new team member access to the applications they needed, even if they already had a workstation and account. The number of manually managed requests has been reduced since implementing Okta, and new employees no longer need to wait for access to essential tools.

Lifecycle Management is activated for eight of our most critical applications, and, with SSO and Multi-Factor Authentication team members enjoy simple, secure access to more than 100 other applications. Any new application adopted by Sephora is immediately integrated with Okta. If turnkey integration isn’t available in the Okta Integration Network it takes no more than a day to create it, whereas the previous technical process used to take weeks or even months.

Another bonus of integrating our HRMS with Okta is stronger security. When a team member reaches the end of their contract, the account – including their access rights to Sephora’s internal SaaS applications and platforms – is automatically deactivated. As our team members often transfer within the company, their access rights have to be changed frequently – something which is automatically handled by Okta Workflows.

Next on the agenda for Sephora will be to decommission ADFS, our previous SSO solution, which we used for Zoom and a few other applications, and to integrate them with Okta. We’re also planning to use Okta Workflows to automate management of external accounts, including technical accounts.

In our experience, when considering a HRMS project as a source, you need to engage all the relevant teams very early on, specifically HR and HRMS, but also technical security and identity. It's key to having an accurate view of all existing HR processes across the company. This helps define and standardise all the flows, together with the permission and access criteria for specific applications, something that requires the input of all business lines. The choice of a partner like Lyvoc, who understands both the Okta ecosystem and HRMS challenges, also made a big contribution to the success of our project.

Want to find out more about Sephora and how the brand is streamlining its HR management systems using Okta? Click here.