I’m curious how other organizations handle authentication for external suppliers in the Supplier Management module. We’re debating between requiring SSO integration with suppliers’ identity providers versus creating local MC accounts with strong password policies.
SSO sounds ideal from a security standpoint, but the onboarding complexity is significant - many of our smaller suppliers don’t have mature identity systems. Local accounts are easier to set up but create password management risks and potential audit trail gaps. We have about 200 active suppliers who need to submit documentation, respond to audits, and update their qualification status.
What approaches have worked well for others? Are there hybrid models that balance security with practical usability for external parties?
Consider a tiered approach based on supplier risk classification. Critical suppliers (high volume, sole source, or high-risk materials) get SSO requirements built into their supplier agreements. Medium and low-risk suppliers use local accounts with MFA via email or SMS codes. This balances security with practicality. We implemented this last year and it’s working well - about 30 suppliers on SSO, 170 on local accounts with MFA.
From a pure security perspective, local accounts are riskier. Password reuse across systems is common, and you have no control over how suppliers manage their MC credentials. If a supplier employee leaves, how quickly do they revoke that MC access? With SSO, the supplier’s own HR offboarding process handles it automatically. We’ve had incidents where former supplier employees retained MC access for months because the supplier forgot to notify us.
The audit trail point is compelling. We had a recent FDA inspection where they specifically asked about supplier user access controls and deprovisioning processes. We couldn’t prove when a supplier employee had left their company and whether their MC access was revoked timely. That’s making me lean toward SSO despite the complexity.