Implemented SAML SSO for plant production scheduling portal, reduced support tickets by 60%

I wanted to share our successful SAML SSO implementation for our multi-plant production scheduling portal. We have five manufacturing facilities using Honeywell MES 2023.1, and before this project, each plant had separate authentication systems for the production scheduling module. This created massive password fatigue - schedulers were managing 5+ different credentials, leading to constant password resets and locked accounts.

We implemented SAML SSO integrated with our corporate identity provider (Okta), enabling single sign-on across all plant scheduling systems. The implementation took about 6 weeks including testing, and we’ve now been running in production for 4 months. The results have been remarkable: support tickets related to password resets and account lockouts dropped by 60%, scheduler productivity increased (no more hunting for passwords), and we now have centralized audit logging across all facilities.

Happy to share details about the SAML SSO integration process, how we handled the password fatigue problem, and how we set up multi-plant authentication if anyone is considering a similar project.

I led the change management side of this project. Scheduler acceptance was actually very high once we demonstrated that they’d only need to remember one password instead of five. We did a phased rollout - started with one plant for two weeks, gathered feedback, made adjustments, then rolled out to remaining plants over four weeks. Training was minimal - about 30 minutes per scheduler showing them the new Okta login page and what to expect. The key was having plant champions who could help their peers during the transition. We did have a few hiccups during cutover (some users had browser cache issues), but we scheduled cutovers during low-activity periods and had IT support on-site at each plant.

How did the schedulers react to the change? We’re worried about resistance from our scheduling team who are used to the current system. Also, what was the training effort like? Did you have any issues during the cutover where people couldn’t access the system and production scheduling was impacted?

Let me provide a comprehensive breakdown of our SAML SSO implementation covering the integration process, password fatigue solution, and multi-plant authentication architecture.

SAML SSO Integration Process

Our implementation followed this timeline:

Week 1-2: Planning and Design

• Documented current authentication flows across all five plants
• Identified user populations: 45 production schedulers, 12 plant managers, 8 IT admins
• Selected Okta as our identity provider (we already used it for other corporate apps)
• Designed user provisioning and role mapping strategy
• Created test plan and rollback procedures

Week 3-4: Technical Implementation

Configured Okta SAML application:

• Created custom SAML 2.0 app in Okta for Honeywell MES
• Configured assertion consumer service URL: `https://mes-prod.company.com/saml/acs
• Set up attribute statements (email, firstName, lastName, employeeId, groups)
• Generated and downloaded SAML metadata XML

Configured MES 2023.1 SAML settings in saml-config.xml:

<saml>
    <entityId>honeywell-mes-production</entityId>
    <identityProvider>
        <metadataUrl>https://okta.company.com/app/metadata/saml</metadataUrl>
        <singleSignOnService>https://okta.company.com/app/sso/saml</singleSignOnService>
    </identityProvider>
    <serviceProvider>
        <assertionConsumerService>https://mes-prod.company.com/saml/acs</assertionConsumerService>
        <singleLogoutService>https://mes-prod.company.com/saml/slo</singleLogoutService>
    </serviceProvider>
</saml>

Week 5: User Migration

Automated user mapping process:

1. Exported user lists from all five MES instances
2. Matched 85% automatically by email address
3. Manually resolved 15% with mismatched emails or missing Okta accounts
4. Created migration script that updated MES user records with Okta identifiers
5. Validated mapping in test environment with sample users

Week 6: Testing and Rollout

Phased deployment:

• Plant 1 (pilot): 2 weeks with 9 schedulers
• Plants 2-3: 1 week with 18 schedulers
• Plants 4-5: 1 week with 18 schedulers
• Post-deployment monitoring: 1 week

Password Fatigue Solution

Our schedulers were managing multiple credentials:

Before SSO:

• 5 plant-specific MES credentials
• Corporate network login
• Email/Office 365
• Various other plant systems
• Average: 8-10 passwords per scheduler

Pain Points We Addressed:

1. Password Reset Volume: 25-30 tickets per week across all plants
2. Account Lockouts: 15-20 incidents per week (schedulers trying wrong password)
3. Productivity Loss: Estimated 2-3 hours per scheduler per month dealing with password issues
4. Security Risks: Password reuse, written passwords, weak passwords

SSO Solution Implementation:

• Single authentication through Okta (corporate identity provider)
• Eliminated 5 plant-specific passwords immediately
• Integrated with existing corporate AD, so schedulers use familiar credentials
• Enabled MFA through Okta (push notifications) for additional security
• Implemented self-service password reset through Okta portal

Results After 4 Months:

• Password reset tickets: Down from 25-30/week to 10-12/week (60% reduction)
• Account lockouts: Down from 15-20/week to 5-7/week (65% reduction)
• Scheduler satisfaction: Survey showed 92% prefer SSO over previous system
• Help desk time saved: ~15 hours per week (previously spent on password issues)
• Security improvement: 100% of schedulers now use MFA (was 0% before)

Multi-Plant Authentication Architecture

Key architectural decisions for five-plant deployment:

1. Centralized vs Federated Identity:

We chose centralized identity (Okta) with federated authorization (plant-level MES):

[Okta Identity Provider]
         |
         | SAML Assertion
         |
    [MES SAML Service Provider - Central]
         |
         +--- Plant 1 MES Instance (local roles/permissions)
         +--- Plant 2 MES Instance (local roles/permissions)
         +--- Plant 3 MES Instance (local roles/permissions)
         +--- Plant 4 MES Instance (local roles/permissions)
         +--- Plant 5 MES Instance (local roles/permissions)

2. Session Management Across Plants:

Implemented shared session state:

• Okta session timeout: 8 hours (work shift duration)
• MES application session: 4 hours with sliding window
• Cross-plant navigation: Seamless within Okta session validity
• When scheduler accesses different plant, SAML assertion is reused (no re-authentication)

3. Role and Permission Strategy:

Hybrid approach balancing centralization and plant autonomy:

Okta (Central):

• User identity and authentication
• Basic group assignments (Scheduler, PlantManager, ITAdmin)
• MFA enforcement
• Default role provisioning via SAML attributes

MES (Plant-Level):

• Detailed role definitions (ProductionScheduler, MaterialPlanner, CapacityAnalyst)
• Module-specific permissions (who can modify schedules, approve changes, etc.)
• Plant-specific access controls (Plant 1 scheduler can’t modify Plant 2 schedules)
• Custom workflows and approval chains

SAML attribute mapping in saml-attribute-mapping.xml:

<attribute-mapping>
    <attribute name="email" maps-to="userEmail" required="true"/>
    <attribute name="firstName" maps-to="givenName"/>
    <attribute name="lastName" maps-to="surname"/>
    <attribute name="employeeId" maps-to="employeeNumber"/>
    <attribute name="groups" maps-to="defaultRoles" multi-value="true"/>
</attribute-mapping>

4. Cross-Plant Access Patterns:

Schedulers fall into three categories:

• Single-plant schedulers (70%): Access only their assigned plant
• Multi-plant schedulers (25%): Access 2-3 related plants (e.g., similar product lines)
• Corporate schedulers (5%): Access all plants for capacity planning

Access control implemented through Okta groups:

• MES-Plant1-Scheduler, MES-Plant2-Scheduler, etc.
• MES-MultiPlant-Scheduler (inherits access to multiple plants)
• MES-Corporate-Scheduler (full access)

5. Audit Logging and Compliance:

Centralized audit trail:

• All authentication events logged in Okta
• Authorization events logged in each MES instance
• Aggregated in central SIEM for compliance reporting
• Can track: Who accessed which plant, when, from where, what actions they performed

Implementation Lessons Learned

1. Browser Cache Issues: Some users had cached credentials that conflicted with SSO. Solution: Clear browser cache during cutover, provide documentation.

2. Contractors and External Users: Didn’t have Okta accounts. Solution: Created guest account process with limited access.

3. Offline Access: Some plants wanted local fallback if Okta is unavailable. Solution: Kept emergency local admin accounts (break-glass procedure).

4. Mobile Access: Schedulers wanted to check schedules from tablets. Solution: Okta mobile app worked seamlessly with MES mobile interface.

5. Performance: Initial concern about SAML handshake latency. Reality: Added <1 second to login, imperceptible after first authentication.

ROI Analysis

Cost-benefit breakdown:

Costs:

• Implementation: 240 hours (IT + vendor) × $150/hr = $36,000
• Okta licensing: $8/user/month × 65 users × 12 months = $6,240/year
• Training: 30 minutes × 65 users × $50/hr = $1,625
• Total Year 1: ~$44,000

Benefits:

• Help desk time saved: 15 hrs/week × 52 weeks × $50/hr = $39,000/year
• Scheduler productivity: 2.5 hrs/scheduler/month × 45 schedulers × 12 months × $75/hr = $101,250/year
• Reduced security incidents: Estimated $20,000/year (password-related breaches, compliance issues)
• Total Annual Benefit: ~$160,000

Payback Period: 3.3 months

Recommendations for Similar Implementations

1. Start with pilot plant to validate approach
2. Automate user migration as much as possible (manual mapping is error-prone)
3. Keep local emergency admin accounts as fallback
4. Plan cutover during low-activity periods (weekends, off-shifts)
5. Have IT support on-site at each plant during cutover
6. Document the new login process with screenshots
7. Implement MFA from day one (don’t add it later)
8. Monitor authentication logs closely for first month
9. Survey users after 30 days to gather feedback
10. Celebrate the win - this significantly improves daily work life for users

This implementation has been one of our most successful IT projects in terms of user satisfaction and measurable ROI. The combination of SAML SSO, elimination of password fatigue, and seamless multi-plant access has transformed how our schedulers work.

What about session management across the plants? When a scheduler logs into Plant A’s scheduling system via SSO, can they seamlessly access Plant B’s system without re-authenticating? And how did you handle role/permission mapping - do you manage that in Okta or still in each MES instance? We’re concerned about maintaining proper access controls when centralizing authentication.

We used the native SAML 2.0 support in MES 2023.1 - no custom connectors needed. The key was configuring the SAML metadata exchange correctly between Okta and MES. For user migration, we did an automated mapping based on email addresses. We exported the user list from each plant’s MES instance, matched them to existing Okta accounts by email, and used a batch script to update the MES user records with the Okta user IDs. About 85% matched automatically; the remaining 15% required manual intervention (mostly due to email mismatches or contractors with different email domains).

Yes, single sign-on works across all plants - once authenticated to Okta, schedulers can access any plant’s scheduling portal without re-authenticating (within the SSO session timeout, which we set to 8 hours). For roles and permissions, we use a hybrid approach: authentication is centralized in Okta, but authorization (roles/permissions) is still managed within each MES instance. This gives us centralized identity management while maintaining plant-specific access controls. We did implement group-based role assignment in Okta that provisions default roles, but plant admins can override these in MES if needed.

This is exactly what we need! We’re dealing with the same password fatigue issue across three plants. Can you share more details about the Okta integration with Honeywell MES 2023.1? Did you use the native SAML support or did you need custom connectors? Also, how did you handle the initial user migration - did you have to manually map existing MES users to Okta identities?