Case Study

SSO for multiple identity providers

tl;dr

I designed multi-identity provider single sign on for O'Reilly Media's learning platform, a critical technical feature which allowed us to retain a major enterprise customer.

Scaling authentication to support organizations with multiple identity providers

Single Sign-On (SSO) enables users to authenticate across multiple systems using a single identity. While embedded within an engineering team, we identified a limitation in our authentication architecture: enterprise organizations increasingly needed to authenticate through multiple identity providers rather than a single provider.

Addressing this technical requirement also presented an opportunity to improve the authentication experience by simplifying the flow, reducing unnecessary complexity, and strengthening system feedback throughout the journey.

Large enterprise organizations often rely on multiple identity providers across different teams and departments. Supporting this authentication model required redesigning the sign-in experience to accommodate organizational complexity without increasing user confusion.
Some organizations standardize on a single identity provider across multiple departments. The redesigned authentication flow accommodates both shared and distributed authentication models while presenting a consistent user experience.

I streamlined the authentication experience

  • I redefined the authentication flow to better support organizations using multiple identity providers while minimizing disruption to the sign-in experience.
  • I designed contextual feedback patterns that communicated authentication states more clearly, helping users understand what was happening and what action—if any—was required.
  • I simplified the initial authentication screen by removing redundant entry points and unnecessary links, allowing users to focus on the primary sign-in path.
Before redesigning the authentication flow, I audited the existing experience to identify sources of friction. The interface contained competing calls to action, redundant navigation paths, inconsistent emphasis, and system guidance that was easy to overlook, making an already complex authentication process more difficult to navigate.

This work targeted enterprise users who access O’Reilly through their organization’s Single Sign-On (SSO) infrastructure, particularly those belonging to organizations that authenticate through multiple identity providers.

Understanding authentication to simplify a technically complex experience

Designing for enterprise authentication required balancing established security patterns with usability. To do that effectively, I developed a deep understanding of Single Sign-On (SSO), authentication workflows, identity providers, and the technical constraints that shaped the experience.

Working closely with engineering, I mapped the existing authentication flow, identified its limitations, and translated technical requirements into interaction patterns that remained secure while reducing unnecessary complexity for end users.

The redesigned authentication experience applies established authentication patterns and usability principles to:

  • Reduce confusion through clearer system feedback. Error messages were rewritten in plain language, avoiding technical jargon while explaining what happened and providing clear next steps wherever possible.
  • Reduce opportunities for user error through progressive disclosure. Rather than requesting all information upfront, the authentication flow was broken into smaller, sequential steps that guide users through the process while minimizing avoidable mistakes.

Reducing unnecessary decisions throughout the authentication journey

For most enterprise users, signing in with Single Sign-On (SSO) is a single-click experience. However, authentication requirements vary by organization. While some allow users to authenticate with a password, others require SSO exclusively as part of their security policies.

I redesigned the authentication flow around progressive disclosure. Rather than asking users to choose an authentication method upfront, the experience first identifies their organization, allowing subsequent authentication steps to adapt automatically to their organization’s security configuration.

I designed the authentication experience to adapt accordingly. When SSO is required, the interface emphasizes the primary sign-in path while conditionally hiding password authentication, eliminating unnecessary choices and reducing opportunities for error.

When Single Sign-On is the organization’s primary authentication method, the interface emphasizes it as the default sign-in path while preserving password authentication as a secondary option. This reduces unnecessary decision-making and guides users toward the authentication method they are are expected to use.

Organizations using multiple identity providers introduce an additional decision into the authentication process. To support these users, I designed a provider selection step that presents available identity providers using the organizational teams they are most commonly associated with rather than their underlying technical names.

Leveraging familiar terminology increases the likelihood that users select the correct provider on their first attempt while reducing confusion for those unfamiliar with their organization’s identity infrastructure.

The authentication flow adapts to each organization’s security configuration. Users with multiple identity providers are guided to the correct authentication path using familiar organizational labels, reducing confusion while preserving a streamlined sign-in experience.

The redesigned authentication experience was released in November 2021 and remains in production today. The live experience can be explored on O’Reilly’s learning platform, and an interactive prototype is also available.

Next Case

Organizing design work logically

Cover Image