Brainforge Knowledge

okta_shopify_discovery_12_8_2025

13 min read

Okta & Shopify Discovery Deep Dive

Date: December 8, 2025
Meeting Type: Technical Discovery
Attendees: Jay Heavner (VP IT), Katherine Bayless, Samuel Roberts, Uttam Kumaran

Meeting Purpose

Deep dive with Jay Heavner on two critical pain points:

  1. Okta Authentication - Causing 80% of customer support requests
  2. Shopify Digital Asset Delivery - Download failures, authentication loops

Part 1: Okta Authentication Issues

Current Architecture

Two Separate Tenants:

  1. Workforce Tenant

    • Internal staff and contractors
    • Uses FastPass for passwordless auth (when enrolled)
    • Collide device assurance
    • Various policy exceptions for leadership

  2. Customer Tenant

    • 150K CES registrants (grows to 900K monthly active users)
    • No FastPass enrollment (customers don’t download app)
    • No email verification (marketing decision from years ago)
    • Username = email address (not immutable)

Cost: $260K per year for 900K monthly active users

The Problem

User Experience Issues:

Katherine’s experience:

“I’ve never had to enter my password as much as I have in the last few months”

Symptoms:

  • Excessive password prompts across applications
  • Users frustrated with constant re-authentication
  • MFA exhaustion (SMS now costs extra)
  • Magic links not implemented for Customer tenant
  • Average 29 min 36 sec registration time (auth a major factor)

Customer Support Impact:

  • 80% of customer service requests related to authentication
  • Password reset emails
  • Account lockouts
  • Confusion about multiple logins

Technical Debt:

  • Username = email (changes when people change names/emails)
  • No email verification on Customer tenant (marketing decision years ago)
  • Policy exceptions carved out for senior leadership
  • Vendors don’t understand OIDC/OAuth properly
  • Still side-loading data instead of using JWT tokens

Jay’s Perspective

20-Year IT Veteran Context:

Jay has been at CTA for 20+ years, seen everything evolve. Knows all the systems intimately.

Okta Implementation Challenges:

  • Inherited configuration from previous decisions
  • Marketing team made call on no email verification
  • Leadership exceptions hard to remove (“government stealing fingerprints”)
  • FastPass enrollment inconsistent across workforce
  • Vendor integrations often broken or half-implemented

Competing Priorities:

  • Can’t make changes before CES (January)
  • Limited IT staff bandwidth
  • Finance very cost-conscious ($260K/year scrutinized)
  • Need to maintain 99%+ uptime

Known Workarounds

Katherine’s 80% Reduction Achievement:

Already achieved 80% reduction in auth-related tickets this year through:

  • Custom error messaging widget
  • Better user guidance on password requirements
  • Clearer communication during registration

“If I can get 80% with just better error messages, imagine what we could do with proper fixes”

Current Hacks:

  • Manual password reset processes
  • Customer service team shortcuts
  • Documentation for common issues
  • Slack channel for IT/support coordination

Potential Solutions Discussed

Quick Wins (Within Okta):

  1. Implement Magic Links

    • Passwordless auth for Customer tenant
    • Reduce password-related support tickets
    • Better mobile experience

  2. Improve Password Policies

    • Less complex requirements if MFA enabled
    • Risk-based authentication
    • Context-aware prompts

  3. Fix Session Management

    • Longer session times for low-risk activities
    • Smart re-authentication prompts
    • Remember device better

Medium-Term Options:

  1. Consolidate Tenants

    • Single Okta tenant with different policies
    • Easier to manage, potentially lower cost
    • Risk: Migration complexity

  2. Enable Email Verification

    • Convince marketing team (hard political problem)
    • Would solve many downstream issues
    • Username immutability improvements

Long-Term Evaluation:

  1. Alternative Identity Providers
    • Auth0: More developer-friendly, better docs
    • Clerk: Modern, built for developers
    • Amazon Cognito: Already on AWS, lower cost
    • WorkOS: Enterprise focus, SAML/OIDC native

Factors:

  • Migration complexity (150K users)
  • Cost comparison ($260K baseline)
  • Vendor integration effort
  • Team learning curve
  • Procurement timeline

Technical Details from Jay

Okta Logout Bug:

When admins log out of workforce tenant:

  • Removes admin role every time
  • Have to manually re-add in console
  • Impexium integration issue
  • Workaround: Don’t log out (not secure!)

Session Management:

  • Multiple apps = multiple authentication prompts
  • Each vendor implements differently
  • Some vendors side-load data (ignore JWT)
  • OIDC/OAuth not understood by many vendors

FastPass Adoption:

  • Many staff afraid of biometrics
  • “Government stealing fingerprints” conspiracy theories
  • Leadership exemptions make it hard to require
  • When enrolled, works great (passwordless)

Device Assurance (Collide):

  • Inconsistent enforcement
  • Not all devices enrolled properly
  • Certificate management complex

Discovery Questions Identified

For CTA to Answer:

  1. What’s the acceptable downtime for migration?
  2. Can we get marketing buy-in on email verification?
  3. What’s the timeline for leadership policy exceptions removal?
  4. Are there budget constraints for alternatives?
  5. What’s the priority: cost reduction or UX improvement?

For Brainforge to Research:

  1. Auth0 vs Clerk vs Cognito cost comparison
  2. Migration effort estimation for 150K users
  3. Vendor integration re-work required
  4. Quick wins feasibility (magic links, session mgmt)
  5. Risk assessment for each approach

Constraints

Timing:

  • No changes before CES (January 2026)
  • Need 3-6 month runway for major migration
  • Quick wins could ship in Q1 post-CES

Political:

  • Marketing team decision on email verification
  • Leadership unwilling to change policies
  • Finance scrutinizes all spending
  • Vendor relationships (don’t want to break working integrations)

Technical:

  • 99%+ uptime required
  • Must work on mobile (majority of CES traffic)
  • Integration with 10+ critical systems
  • Cannot break CES registration flow

Part 2: Shopify Digital Asset Delivery

Current Implementation

What Shopify Is Used For:

  1. Digital Asset Delivery

    • Research reports ($500-5,000 per report)
    • Market analysis documents
    • White papers and studies
    • ~50-100 SKUs

  2. CES Sponsorships (Recently Discovered!)

    • Katherine didn’t know until recently
    • Small dollar amount but adds complexity
    • Unclear why this use case exists

Ownership Triangle:

  • Marketing team bought the platform
  • Jay built the integration
  • Nobody actively maintains it

The Problem

Authentication Loop:

User journey (when it works):

  1. User browses CTA website
  2. Clicks “purchase report”
  3. Redirected to Okta (workforce tenant)
  4. Okta checks Remembers for membership status
  5. Remembers returns discount eligibility
  6. Redirected to Shopify
  7. Purchase completes
  8. Should receive download link

User journey (when it fails): 1-6. Same as above 7. Purchase completes but no download link 8. User stuck in auth loop between Okta/Remembers/Shopify 9. Support ticket created in support-download-issues Slack channel 10. Manual intervention required

Katherine’s Data:

“At a certain point, the data suggests something different… we have a Slack channel called support-download-issues

Failure rate: Unknown exactly, but “constant stream” of tickets

Technical Debt:

Built by:

  • New Zealand vendor
  • Subcontracting to individual developer
  • Written in Ruby
  • No internal Ruby expertise at CTA

Jay’s assessment:

“The integration is half-baked”

Known Issues:

  • Authentication flow not fully tested
  • Error states not handled gracefully
  • Users don’t understand what went wrong
  • Download links expire (unclear timeout)
  • No clear error messages
  • Mobile experience particularly bad

Jay’s Technical Deep Dive

How It Was Built:

  • Jay hired NZ vendor to build Shopify integration
  • Vendor subcontracted to individual developer
  • Built custom Ruby app to connect systems
  • Hosted on… (unclear, Jay manages it)
  • Limited documentation

Integration Flow:

CTA Website → Okta (auth) → Remembers (check membership) 
→ Shopify (checkout) → ??? (delivery) → User

Missing piece: Reliable delivery after successful purchase.

Authentication Implementation:

  • Uses Okta for identity
  • Queries Remembers for member status via API
  • Passes pricing token to Shopify
  • Shopify completes transaction
  • Should trigger download link generation
  • Fails somewhere in “should trigger” step

Ruby Codebase:

  • Jay has used Claude for code modifications
  • Small changes work okay
  • Larger refactors risky without Ruby expertise
  • No test coverage
  • Difficult to debug production issues

Potential Solutions Discussed

Option 1: Fix the Ruby Code

Pros:

  • Smallest change, fastest path
  • Jay already using Claude for small fixes
  • Sunk cost in existing implementation
  • Maintains current UX

Cons:

  • Band-aid solution, doesn’t address root cause
  • No internal Ruby support long-term
  • Vendor relationship unclear
  • Still have auth loop complexity

Option 2: Replace with Stripe

Pros:

  • Purpose-built for digital products
  • Simple download delivery
  • Great documentation
  • Lower maintenance burden
  • Stripe Billing handles subscriptions well
  • Could still integrate with Remembers for discounts

Cons:

  • Migration effort (50-100 SKUs)
  • Need to rebuild pricing logic
  • Stripe Connect vs Platform decision
  • Additional procurement process

Option 3: Replace with Gumroad

Pros:

  • Specifically for digital products
  • Simple setup, low maintenance
  • Built-in email delivery
  • Good reporting

Cons:

  • Less customizable than Stripe
  • Membership discount logic harder
  • Less enterprise-ready
  • Another new vendor to onboard

Option 4: Consolidate into Remembers

Pros:

  • Already have AMS with storefront capability
  • Members already logged in
  • Single source of truth
  • No additional vendors
  • Native reporting

Cons:

  • Impexium limitations unclear
  • Would need to investigate capability
  • May not support digital downloads natively
  • Could be complex to implement

Option 5: Custom Solution (S3 + Simple Payment)

Pros:

  • Maximum control
  • Leverage existing AWS infrastructure
  • S3 signed URLs for secure downloads
  • Simple payment processor (Stripe Elements)
  • Lower ongoing cost

Cons:

  • Build and maintain ourselves
  • Not core competency
  • Reinventing wheel
  • PCI compliance considerations

Katherine’s Take

Revenue vs Burden Analysis:

Small revenue stream but disproportionate support burden:

  • Constant support tickets
  • Takes Jay’s time for maintenance
  • User frustration harms CTA brand
  • Unclear if profitable after support costs

Organizational Dynamics:

Nobody wants to own Shopify:

  • Marketing: “We just wanted to sell things”
  • Jay: “I just built what they asked for”
  • Membership: “Not our system”
  • Katherine: “I didn’t even know we used it”

Classic case of tool bought without ongoing ownership plan.

Jay’s Constraints

Time:

  • Full-time role managing all IT infrastructure
  • CES takes 100% focus Nov-Feb
  • Limited bandwidth for side projects
  • Prefer low-maintenance solution

Risk:

  • Can’t break digital asset sales (revenue stream)
  • Can’t make CES sponsorships worse
  • Need to maintain during CES
  • No downtime acceptable

Resources:

  • No Ruby developers on staff
  • No budget for full Shopify agency
  • Could potentially pay for one-time fix
  • Prefer tool that doesn’t need constant maint

Discovery Questions Identified

For CTA to Answer:

  1. What’s annual revenue from digital assets?
  2. What’s total cost of ownership (platform + support)?
  3. Can we quantify support ticket volume?
  4. Is CES sponsorship use case real/ongoing?
  5. What’s acceptable migration timeline?
  6. Who should own this long-term?

For Brainforge to Research:

  1. Map exact auth flow (where does it fail?)
  2. Test failure scenarios systematically
  3. Impexium digital product capability
  4. Stripe vs Gumroad cost/feature comparison
  5. Custom build effort estimation
  6. Quick fix options in Ruby code

For Jay to Provide:

  1. Access to Ruby codebase
  2. Shopify admin access
  3. Sample failure logs
  4. Current support ticket examples
  5. Revenue/transaction data
  6. Integration documentation (if exists)

Immediate Next Steps

Week 1-2:

  • Samuel to map complete auth flow
  • Get access to Shopify admin and Ruby code
  • Document specific failure points
  • Create test scenarios

Week 3-4:

  • Cost-benefit analysis of each option
  • Technical feasibility assessment
  • Recommendation with timeline
  • Get buy-in from stakeholders

Post-CES (Feb+):

  • Implement chosen solution
  • Migrate SKUs if needed
  • Test thoroughly
  • Monitor for issues

Part 3: Other Systems Discussion

Event Base (Mobile App)

Jay’s Context:

Written in ColdFusion (!)

  • Very old technology, hard to maintain
  • Casey managing (going on maternity leave)
  • 2-year contract, considering migration
  • Might move to Flutter

Panasonic Story:

CTA approached Panasonic to help build AI features for mobile app. Panasonic excited… until they learned it was ColdFusion. Panasonic declined: “We don’t work with ColdFusion”

“That’s how you know your tech stack is outdated - when vendors won’t work with you”

Future Plans:

  • Contract up for renewal
  • Evaluating Flutter rebuild
  • Want to add AI features (recommendations, etc.)
  • Need analytics implementation

Jay Owns This:

  • Connected to SharePoint
  • Tries to be “enterprise Google”
  • AI-powered search across documents

Katherine’s Frustration:

“Actively harming reputation of our data… making people hate AI”

Problems:

  • Connected to data it shouldn’t access
  • Returns incorrect information confidently
  • No data governance on sources
  • Calls non-agentic workflows “agents” (Katherine’s pet peeve)

Opportunity:

  • Connect to curated Snowflake data
  • Proper data catalog
  • Accurate answers from verified sources
  • Could be great if done right

Google Analytics / BigQuery

Admin Access Locked:

  • Orange Spark set up good infrastructure
  • Former employee had admin access
  • Employee left, Google account locked
  • Google Cloud support trying to recover
  • Katherine has data editor, not admin

Jay working with Google to regain control.

Opportunity:

  • Well-implemented tracking
  • Looker Studio dashboards exist but underutilized
  • Could provide valuable funnel insights
  • Need admin to make changes

Key Themes

1. Sunk Cost vs Fresh Start

Pattern across both Okta and Shopify:

  • Existing implementations have issues
  • Sunk cost makes abandonment hard
  • But ongoing cost may exceed migration cost
  • Need honest cost-benefit analysis

2. Ownership Vacuum

Neither system has clear owner:

  • Okta: IT maintains, marketing influences, everyone uses
  • Shopify: Marketing bought, Jay built, nobody maintains

Creates situation where problems persist because no one empowered to fix.

3. Vendor Relationship Management

CTA burned by vendors multiple times:

  • Shopify subcontractor mystery developer
  • CES tech stack daisy-chain
  • Event Base ColdFusion surprise

Jay cautious about new vendors, wants proven solutions.

4. CES Constraint Dominates

Everything scheduled around CES:

  • No changes Nov-Jan
  • Post-CES window for improvements
  • Need solutions stable before next CES cycle starts (June)
  • Creates 6-month effective window: Feb-July

5. Cost-Conscious Culture

Finance scrutinizes every dollar:

  • $260K Okta spend seems high
  • Shopify cost vs value unclear
  • Need ROI demonstration for any new tool
  • Prefer consolidation over proliferation

Technical Decisions Needed

Okta Decision Tree

If Priority = Quick Wins: → Implement magic links + improve session management → Timeline: Q1 2026 (Feb-Mar) → Cost: Low (within current Okta spend)

If Priority = Cost Reduction: → Evaluate Auth0 vs Clerk vs Cognito → Detailed migration plan → Timeline: Q2-Q3 2026 → Cost: Migration effort + new platform

If Priority = UX: → Custom authentication flows → Risk-based authentication → Timeline: Q2 2026 → Cost: Medium (dev effort + testing)

Shopify Decision Tree

If Priority = Stability: → Fix Ruby code issues → Comprehensive testing → Timeline: Q1 2026 → Cost: Low (contractor)

If Priority = Long-term Maintenance: → Replace with Stripe or Gumroad → Migrate SKUs carefully → Timeline: Q2 2026 → Cost: Medium (migration + testing)

If Priority = Consolidation: → Move to Remembers storefront → Investigate capability first → Timeline: Q3 2026 → Cost: High (discovery + implementation)

Success Criteria

For Okta Improvements

Quantitative:

  • 50%+ reduction in auth-related support tickets
  • <5 minute registration time (from 29+ min)
  • 95%+ successful authentications on first attempt
  • $100K+ annual cost reduction (if replacing)

Qualitative:

  • Users stop complaining about passwords
  • Staff can work without constant prompts
  • Mobile experience smooth
  • Vendor integrations reliable

For Shopify Improvements

Quantitative:

  • Zero download failures after successful purchase
  • <2 support tickets per month (from current “constant stream”)
  • 99%+ successful delivery rate
  • Clear ROI (revenue - support cost - platform cost)

Qualitative:

  • Users receive downloads immediately
  • Clear error messages when issues occur
  • Staff know who owns the system
  • Jay’s time freed up for higher priorities

Risks & Mitigation

Okta Migration Risks

RiskImpactMitigation
CES registration breaksCriticalTest extensively, maintain Okta as backup
Vendor integrations failHighMap all integrations, test each one
User confusion during migrationMediumClear communication, gradual rollout
Cost overrunsMediumDetailed scoping, fixed-price where possible

Shopify Replacement Risks

RiskImpactMitigation
Revenue loss during migrationHighParallel run old + new systems
SKU data lossMediumCareful migration, data validation
New system also has issuesMediumThorough testing, proof of concept first
User confusionLowSame UX where possible, clear documentation

Resources Needed

For Okta Discovery

  • Jay: Okta admin access for Samuel
  • Jay: List of all Okta-integrated applications
  • Katherine: Support ticket data (volume, categorization)
  • Katherine: User survey on auth pain points
  • Brainforge: Cost comparison spreadsheet
  • Brainforge: Migration effort estimation

For Shopify Discovery

  • Jay: Ruby codebase repository
  • Jay: Shopify admin access
  • Jay: Sample error logs
  • Katherine: Support ticket examples
  • Finance: Revenue and transaction data
  • Brainforge: Auth flow mapping
  • Brainforge: Alternative platform evaluation

Next Meeting

Date: December 16, 2025
Agenda: Q1 Scopes + dbt demo
Attendees: Katherine, Jay, Uttam, Samuel, Ashwini

Pre-work:

  • Samuel to map Shopify auth flow
  • Uttam to draft Okta discovery scope
  • Katherine to gather support ticket data
  • Jay to provide access and documentation

Memorable Quotes

Jay on ColdFusion:

“When Panasonic won’t work with you, you know your tech stack is outdated”

Katherine on Glean:

“Actively harming reputation of our data… making people hate AI”

Katherine on support tickets:

“At a certain point, the data suggests something different”

Jay on Shopify:

“The integration is half-baked”

Katherine on ownership:

“Marketing bought it, Jay built it, nobody maintains it”

Jay on Claude:

“I’ve been using Claude to make small changes… works okay for that”

Compiled from transcript: cta_discovery_workstreams_chat_12_8_2025.md

Graph View