Iron Cove Solutions

Construction Engineering Case Study

How a National Engineering Firm Secured 1,250 Users Across Multiple Locations with Okta Adaptive MFA and the Kloud Authentication Framework

📋 Table of Contents

Executive Summary

Client: Construction Engineering
Industry: Engineering & Architecture
Integration Partner: Iron Cove Solutions
Project Date: September 11, 2019
POC Investment: $15,000 (60 hours)
Users to Manage: 1,250 across multiple reporting centers

Construction Engineering is an engineering organization comprised of multiple independent Reporting Centers with centralized support from a General and Administrative (G&A) unit. The G&A team is responsible for accounting, payroll, insurance, human resources, and enterprise-wide applications. Iron Cove Solutions implemented the Okta Kloud Authentication Framework to provide maximum security with minimal end-user frustration across 1,250 users.

Security Philosophy

"When Security is at its highest, it must provide the highest amount of protection with the least amount of end-user frustration!"

Quick Results Overview

1,250 Users Secured
7 MFA Factor Options
Zone-Based Threat Detection
Single Sign-On Across All Apps
Sandbox Environment for Testing

About Construction Engineering

Construction Engineering organization is comprised of a variety of individual Reporting Centers which operate independently with centralized support from a business operations unit known as General and Administrative (G&A). This central team is responsible for a variety of business services, including:

  • Accounting
  • Payroll
  • Insurance
  • Human Resources
  • Enterprise-wide application administration

As part of their supported services, the G&A team owns and administers enterprise-wide applications which are critical to the overall operations of the business. G&A understands that access to these enterprise applications needs to be as secure as possible to ensure the continuity of the related services.

Use of Okta - High Level

End Users

End users would have the ability to reset passwords and the flexibility to securely authenticate on any device (if management allows) to cloud applications provided by management. MFA would be enabled for users to either have a text, phone, or Yubikey authentication for specific Apps. An end user would then be able to login and access a clickable application tile and dive into the application. It would be one-credential for all access and authentication.

Administrators

G&A Administrators would now have full control of provisioning workers/partners. An Admin would login to Okta , create a user and all downstream applications would be pushed out for said worker. If a worker is to be removed from the firm, an admin would login and remove said person. His credentials/permissions would be removed from all devices instantly.

Okta Adaptive MFA: The Game Changer

Construction Engineering has a strong desire for MFA (Multi-Factor Authentication). MFA is valuable in authentication because a user is granted access only after successfully presenting two or more pieces of evidence (factors) to an authentication mechanism. Okta's Adaptive MFA takes it a step further.

What Makes Adaptive MFA Special?

Besides having 7 MFA Factors, Adaptive MFA also has Zones (location or IP), Device, and Network detection. Construction Engineering has multiple reporting centers with workers out and about. AMFA is a learning MFA. This learning is critical to its most powerful feature: Zones.

How Zone Detection Works

Zone detecting occurs when the system receives an input of time, place, and IP, which analyzes the attempt/connection that couldn't possibly correspond with the worker's normal patterns. For example:

  • A worker normally logs in from Seattle office during business hours
  • The system receives a login attempt from Moscow at 3 AM Seattle time
  • The account is immediately put in a critical risk state
  • Access is stopped
  • The hacker is locked out because the location doesn't correspond with the worker's last legitimate connection
  • Management is notified immediately

7 MFA Factor Options

1. Security Question

  • Traditional knowledge-based authentication
  • User-defined questions and answers
  • Easy backup option

2. Passwords

  • Standard password authentication
  • Policy-enforced complexity rules
  • Expiration management

3. SMS, Voice, Email OTP

  • One-time codes via text message
  • Voice call delivery option
  • Email backup method

4. Software OTP

  • Time-based one-time passwords
  • Works offline
  • Google Authenticator compatible

5. Okta Verify Push

  • Push notifications to mobile device
  • One-tap approval
  • Most user-friendly option

6. FIDO 2.0/WebAuthn

  • Modern passwordless authentication
  • Yubikey hardware support
  • Highest security level

7. Biometrics & SAML/OIDC

  • Fingerprint recognition
  • Facial recognition
  • Enterprise SSO providers

Implementation Timeline: 6-Phase Approach

Phase 1: SOW Building

Activities:
  • Why Okta - business case
  • Capabilities assessment
  • Architecture review
  • Security requirements
Outcome:
  • Summary readiness document

Phase 2: Okta Intro & Design

Activities:
  • Understanding current state
  • Proof of concept design
  • Verification testing
  • Configuration confirmation
Outcome:
  • Okta design documentation

Phase 3: Development & AD Injection

Activities:
  • Roles and Groups setup
  • AD Integration deployment
  • Universal Directory configuration
Outcome:
  • Working AD integration

Phase 4: Adaptive MFA

Activities:
  • MFA factor configuration
  • IP zone configuration
  • Security policy mappings
  • User enrollment process
Outcome:
  • Security review complete

Phase 5: GoLive

Activities:
  • Domain configuration
  • Testing and validation
  • User assignment
  • Documentation delivery
Outcome:
  • O365 integration live

Phase 6: Support & Next Phase

Activities:
  • User enrollment support
  • Escalation procedures
  • System monitoring
  • Ongoing support
Outcome:
  • Full production support

Details and Deliverables

Kick-Off Meeting

Review Okta deployment methodology and best practices

  1. Creation and validation of Customer's Okta Org(s) - Office 365
  2. Planning Workshop
  3. Active Directory integration planning
  4. Review application list and functional requirements
  5. Discuss release of users, applications and compliance
  6. Project schedule and planning

Active Directory Integration

Integration and configuration of foundation and Active Directory

  1. Review Okta and Active Directory environments
  2. Deploy Active Directory (AD) agents (number TBD)
  3. Import AD users and groups
  4. Create Okta user accounts from AD import
  5. Configure Security Policies (e.g., password expires after 6 months)
  6. Configure self-service password reset
  7. Configure MFA factors

Sandbox Proof of Concept Set Up

  1. Review Integration architecture
  2. Deploy SAML configuration for seamless user experience
  3. Set up domain validation in applications
  4. Troubleshoot single sign-on settings
  5. Configure AD as the master profile service
  6. Verify SP-Initiated SAML
  7. Rollout recommendations and communication checklist
  8. Communications to end users - templates and emails
  9. Review go-live checklist

Project Objectives

Iron Cove Design and Build Offering

  • Assist Construction Engineering in business use case POC
  • Assist Construction Engineering Team in identifying business use cases, prioritizing the use cases, and build the use case which can be built within the allocated hours
  • Jointly design and build one Okta instance
  • Jointly present with Okta to the Construction Engineering Innovation Team in Early November
  • Provide information sharing to enable further successful solution builds
  • Assist Construction Engineering in creating a Roadmap for building solutions for remaining business use cases

Business Use Case Delivery - POC Phase

  • Identify overall project objectives and high-level business requirements
  • Conduct project kick-off to review governance objectives
  • Identify a business use case for which MFA/SSO solution could be built
  • Discuss current architecture constraints and gaps
  • Create a High-Level Approach for the Okta use case
  • Define organizational roles and processes
  • Identify and review critical data elements and critical success factors
  • Prioritize remaining business use cases for future builds
  • Deliver Full SOW and Pricing

Cloud Applications for POC

SSO ApplicationNotes for Project
Microsoft Office 365Primary enterprise application
BSTBusiness application integration
PaycomHRIS system integration

Cloud Application Specific Assumptions

  • Client must own and provide highest level of access to all administration tenant
  • User communication will be transferred to client and distributed and released by Construction Engineering
  • Any modifications to the scope of work will be handled through a change control process

Out of Scope

  • Desktop SSO and Agentless Desktop SSO
  • Any VPN Authentication
  • GDPR instances of Okta
  • Okta "early access" features
  • Functionality demonstrated as Roadmap, Beta or Early Release
  • Installation, upgrades or purchase of additional software
  • Setting up computers, mobile devices or any appliance for Okta
  • Any API Consulting
  • Working with third-party vendors and external users

Project Investment & Payment Terms

POC Phase Structure

  • Project Type: Time & Materials
  • Estimated Hours: 60 hours
  • Hourly Rate: $250/hour
  • POC Investment: $15,000
  • Note: Actual hours may be more or less based on project complexity

Payment Terms

  • Invoices are due according to MSA terms
  • Billing occurs every two weeks (1st and 15th)
  • Work takes place during business hours: Monday-Friday, 8:00 AM - 5:00 PM
  • Some variation expected based on availability and timeliness of data/feedback

Project Schedule

  • Project kickoff within 5 days of legal documentation signature
  • US Holidays may impact actual timeframe
  • Estimated timeline defined and agreed upon between both parties

Key Assumptions

  • Okta account in good standing from licensing perspective
  • Client has appropriate administrative access to systems
  • Client application owners determine appropriate subscription licenses
  • Client actively participates and provides integration information promptly
  • Majority of consulting services delivered remotely
  • ICS will perform no patches or updates

Project Costing: Okta Licensing

The following licensing structure is designed for 1,250 users across Construction Engineering's reporting centers:

Annual Licensing Components

ServiceQuantityDescription
Universal Directory1,250 usersCentralized user profile management
SSO (Single Sign-On)1,250 usersOne credential for all applications
MFA (Multi-Factor Auth)1,250 usersStandard multi-factor authentication
Adaptive MFA (Zone)1,250 usersIntelligent zone-based threat detection
Sandbox Environment1Testing and development instance
Premium Support124/7 Okta support access

Contact Iron Cove Solutions for detailed pricing on 1-year, 2-year, or 3-year licensing commitments.

Project Management Approach

Iron Cove Solutions uses specialized project management tools for tracking project status and updates. Construction Engineering will be given access to these tools before project commencement.

Project Management Standard Activities

ActivityDescription
Kick Off MeetingPM holds kick-off meeting managed by approved Project Manager experienced in methodology and best practices
Develop Project PlanPM develops project plan incorporating team roster, risk management, communication plan, change management, schedule and issue resolution
Assign ResponsibilitiesPM confirms and documents expected roles and responsibilities for all parties
Risk Management PlanPM uses experience to identify potential risks and creates project-specific mitigation plan
Communication PlanPM works with team to develop communication plan identifying who, how, and when to contact
Change ManagementPM documents and obtains approval for any changes to baseline schedule or plan
Project SchedulePM coordinates with stakeholders to create timeline and integrates with other project schedules
Main Point of ContactPM provides trusted advisor who facilitates communication throughout all project phases

Frequently Asked Questions

What is Adaptive MFA and how is it different from regular MFA?

Adaptive MFA learns user behavior patterns including login locations, IP addresses, devices, and times. When a login attempt doesn't match normal patterns (like a login from an unusual location), it automatically increases security requirements or blocks access entirely, providing maximum security with minimal user friction.

How does Zone-based detection protect against hackers?

Zone detection analyzes time, location, and IP address of login attempts. If a hacker tries to access an account from a location that doesn't match the user's normal pattern, the system immediately flags it as high-risk, blocks access, and notifies administrators—stopping the attack before it succeeds. The system learns what's normal for each user and alerts on anomalies.

What MFA options can users choose from?

Users can choose from 7 MFA factors: security questions, passwords, SMS/voice/email OTP, software OTP (like Google Authenticator), Okta Verify push notifications, FIDO 2.0/WebAuthn hardware keys (Yubikey), and biometrics with SAML/OIDC providers. This flexibility ensures users can select the method that works best for their workflow.

What is included in the POC phase?

The POC (Proof of Concept) phase includes 60 hours of consulting to identify business use cases, design the Okta solution, integrate with Active Directory, configure Adaptive MFA, integrate 3 cloud applications (Office 365, BST, Paycom), and present the solution to stakeholders. The investment is $15,000 and includes a roadmap for future phases.

How long does an Okta implementation take?

The POC phase typically takes 60 hours spread over several weeks. A full enterprise implementation following the 6-phase approach generally takes 2-4 months from discovery to go-live, depending on the number of applications, organizational complexity, and user count. The timeline is defined and agreed upon mutually.

What happens after the POC phase?

After the POC, Iron Cove Solutions presents a complete recommendations document, lessons learned, user feedback, a roadmap for remaining use cases, and a full Statement of Work with pricing for enterprise-wide deployment. This allows Construction Engineering to make an informed decision about proceeding with full implementation.

Contact Iron Cove Solutions

Ready to Enhance Your Security with Adaptive MFA?

Contact Iron Cove Solutions today to discuss how we can help your organization implement intelligent, user-friendly security with Okta 's Kloud Authentication Framework.

📞 (213) 545-0601orGet Started Today

Los Angeles, California

Enterprise Identity and Access Management Specialists

This case study showcases Iron Cove Solutions' expertise in enterprise identity management and Okta implementation. Results may vary based on organizational requirements and existing infrastructure. Project Statement of Work prepared September 11, 2019 for Construction Engineering.

Share This Case Study

Share on LinkedInShare on TwitterShare via Email

Talk to us

Email

sales@ironcovesolutions.com

Phone & Hours

(888) 959-2825
Monday-Friday: 9am to 5pm

Address

8117 W. Manchester Ave
Suite 915
Playa Del Rey, CA 90293
Hello! My name is
and I work at
I heard about you from
and I'm looking for someone to help with
To start the conversation, you can reach me at:
Additionally:

Join Our Newsletter

© 2025 | Iron Cove Solutions| Privacy | Simplifying Cloud-Based Intention

HomeEmailCall