Single Sign-On (SSO)

red hat

Responsibilities

Interaction design

|

Visual design

|

Project management

|

People management

Red Hat’s external single sign-on (SSO) solution was built using the open source Identity and Access Management project Keycloak. My team contributed design and usability improvements upstream to Keycloak so all Keycloak users, not just Red Hat, could benefit.

All Red Hat products and services use this SSO solution, which allowed me to collaborate with engineering, marketing, executives, and the open source community.

Business problem

Customers want to be able to log in to Red Hat apps with their company SSO (federated IdP) instead of having to create and manage accounts with Red Hat.
User account data was managed by two separate systems that need to be upgraded into a unified solution before federated IdP can be enabled.

Legacy two-step log in page
Legacy two-step log in page
Legacy log in page
The other legacy log in page

Design goal

Make the experience of becoming a Red Hat customer, signing in to Red Hat properties, and managing other users so seamless that customers don’t even think about it.

Short term:

  • Prompt user to use username instead of email address if they have multiple accounts with that email address

Long term:

  • Merge user accounts (1 customer : 1 account)
  • Update visual design
  • Contribute back to Keycloak

User benefits

  • Manage all users and subscriptions in one place
  • Improved password security requirements and compliance indication when creating a password
  • Visual consistency between log in form, user account management, products, and other web apps

User challenges and design solutions

Confusing log in and account experiences

Consolidate the two log in pages and two different account management pages.

Multiple accounts and account lockout

Use email address as the account identifier rather than user-generated logins. Customers will now have one account rather than one per login.

Lack of trust in emails

Update plaintext emails to match other company communication so customers feel confident that these are legitimate emails.

Customers cannot manage their own users

Enable federated IdP to use our customers’ LDAP for Red Hat user account management, reducing the need to manually manage user accounts as their employees are hired, change roles, or depart.

Weak account security

Require email validation and enforce stronger password requirements for improved data security.

Misalignment with product login

Contribute improvements to Keycloak, the open source IAM project used for in-product account management, for alignment between the web and product user account experience.

Updated log in page showing prompt to log in with username if there are multiple accounts associated with one email address.
Log in page with clear branding for security and product consistency. When a customer has 1 email address with multiple accounts, prompt to log in with username (login) instead of email address.

Design journey

User flow mapping

Understand the use cases for both log in forms and all possible log in methods:

  • Username & password
  • Email & password
  • Federated IdP (Company SSO).

Customers that used their email address as the username for one of their accounts may not be able to access their other accounts.

Not requiring email verification created a security risk for customers wanting to use federated IdP.

User flow for the three log in use cases
User flows of different log in methods and their failure points
Sketching the user flow for linking a Red Hat user account and corporate IdP account
User flow sketch of the account linking process
Work planning

Defined the development features for the project, wrote the corresponding design and dev stories, and ran sprint planning.

Collaborate with InfoSec

Worked with the Information Security team to ensure compliance with NIST password best practices defined by NIST.SP.800-63b Digital Identity Guidelines Authentication and Lifecycle Management and the Information Security Operating guidelines.

Password requirement flow, showing the status of complying with each requirement
Password requirements checklist, password strength best practices guidance, and clear markings to show what requirements have not been met
Password strength flow, showing examples of a weak, medium, and strong password
Once all requirements are met, the strength of the password is shown, encouraging users to choose a more complex and secure password
Manage design team

Formed a design team of 1 senior, 2 junior, and 1 intern designers.

Defined the design strategy and high-level user flows for the team and provided guidance, design input, and reviews for the junior designers.

High level design concepts for the junior design team
I provided high-level workflow guidance to my team for create mockups while I focused on user research and long term planning
Standardize visual design

Brought the SSO system in compliance with Red Hat’s Brand standards and the PatternFly design system.

User account view before design update
Before: Account profile
User account view after design update. All fields are consolidated on one screen and the field labels meet accessibility guidelines
After: Account profile on a single form with accessible field labels
Example account email sent to customers, before the design update
Before: Customer email
Example account email sent to customers, after the design update, adhering to branding standards
After: Email template with updated company branding and more whitespace between content