Zuora Global Support's core mission is to support our customers with the highest quality of customer care. Our support agents deal with a wide spectrum of issues ranging from simple and advanced troubleshooting, to tenant setup and customization, as well as technical incident management.
Eighteen months ago, however, we started noticing some bumps in the road.
As is typical of any SaaS support engagement, our Global Support agents had to log into customers’ tenants on our platform to resolve issues most of the time. The process being used, however, was manual and error prone which ended up costing support and our customers valuable time during a support engagement. The process also didn’t scale well, since there was no organization wide standard for tenant access, and the process didn’t provide the flexibility we needed to restrict tenant access from certain support geographies as defined in certain customer contracts.
Noticing the deficiencies of the status quo, we decided to implement a SSO-based solution that allows a faster, more automated and seamless level of access to customers’ tenants, which also incorporated requirements from security and compliance. Before we jump into the details of the solution, let’s take a brief moment to review the requirements that were part of the solution design.
The requirements included:
Security - The solution must generate auditable logs and abide by security access rules
Scalability - The solution must take into account both existing and new tenants, and should scale to support the number of agents in our support organization and customer base
Operational Overhead - The solution should not require much handholding from Zuora’s IT and Technical Operations groups
Policy Management - The solution must allow for the adherence of stringent access policies if contractually obligated for certain customers
Infrastructure Reuse - The solution must reuse existing infrastructure, including both application and infrastructure stacks
Resilient and Robust - The solution must be available 100% of the time, since our geographically distributed support organization needs to rely on this solution to resolve customer issues 24x7x365
Our solution is a cluster-deployed Java-based application (we called it zSSO because we like to name things starting with a 'z') that implements a workflow that reuses the Single Sign On (SSO) infrastructure that is implemented for the core Zuora product/platform, as well as the existing Active Directory (AD) infrastructure deployed by IT to manage employee user accounts. The Java based workflow is initiated whenever a brand new tenant is provisioned, and works as follows:
Synchronize all Global Support users from an existing AD installation to an Identity Provider (idP). In our case, the idP being used by the core Zuora application is Okta. Synchronizing from AD allows us to receive the benefit of having employee onboarding/offboarding management for free!
Create “Global Support” specific group(s) in the idP and map the Global Support agents to this group(s); we ultimately created groups delineated by geographies. This further allowed us to restrict tenant access as necessary.
Synchronize tenants from Zuora to Okta; in other words, every Zuora tenant appears as an Application (or chiclet/icon) in Okta.
Pre-seed a Global Support user in Zuora in all existing tenants
Map the pre-seeded Global Support user to all the users in respective Global Support group
The following diagram represents all of the interactions in the workflow implemented by our zSSO solution:
Figure 1 - zSSO workflow
Once everything is synchronized, our support agents log into Okta, and click on a single icon to access a specific tenant on our platform! This provides a standardized, scalable and auditable method of access across all support geographies.
How has all this worked out for us you may ask? The SSO/AD based workflow has been functioning as intended in all of our customer facing environments since it was deployed. We have not yet had an incident where Global Support agents have been unable to access customers’ tenants, the solution continues to adhere to our internal security and compliance standards, and the solution is scaling well as we grow our support organization and customer base!