Securing and Scaling Single Sign-On for SaaS Canabis ERP Illumify

The Challenge

Illumify provides a SaaS ERP platform for cannabis operations, operating in a tightly regulated environment with strong security and audit requirements. Its existing single sign-on solution, built on the popular, free, open-source OpenIddict, supported only username and password authentication and was approaching the limits of what it could safely and sustainably deliver.

As the platform grew, Illumify needed to introduce multi-factor authentication, support users operating across multiple companies(tenancy), and enrich access tokens with tenancy context. These changes had to be delivered without disrupting existing applications, breaking integrations, or forcing users through a redesigned login experience. Maintaining compatibility with the existing user database and preserving the current UX were non-negotiable constraints.

The goal was to strengthen security and flexibility while keeping operational risk low and avoiding widespread application change.

The Solution

Rock Solid Knowledge proposed adopting its general-purpose SSO platform as the foundation for a modernised identity service, extending the existing OpenIddict-based approach rather than replacing it outright.

The solution was designed to be a drop-in replacement for the existing SSO, preserving existing application integrations and user workflows. By reusing Illumify’s current user database schema and styling, the platform delivered enhanced capabilities without introducing breaking changes or disrupting users.

Built on .NET 8 and OpenIddict 6, the architecture separates configuration, user identity, and authentication policy, allowing Illumify to evolve its security posture over time. Particular attention was paid to multi-tenancy, ensuring that tenancy and security account context could be consistently propagated to downstream applications through standards-based tokens.

What Was Delivered

• A production-ready SSO platform compatible with Illumify’s existing user store and applications 
• Multi-factor authentication with configurable policy options, including optional or enforced enrolment 
• SMS-based second factor with recovery codes and device-based “remember me” support
• Secure multi-company login with tenancy selection and in-session company switching
• Enriched access tokens carrying tenant and security account claims
• Comprehensive password policy enforcement, including breach detection and banned passwords
• A user self-service portal for password management, second factor configuration, and session control
• Accessible, responsive SSO user interfaces aligned to illumify’s existing designs
• Single logout support across connected applications
• Structured handover sessions to enable illumify’s team to operate and extend the platform independently
• Production Support, ensuring a reliable SSO solution

The Impact

The new SSO platform provided Illumify with a secure, extensible identity foundation aligned with its growth plans and regulatory requirements.

• Significantly improved account security through strong password policy and multi-factor authentication
• Reduced operational risk by avoiding changes to existing applications and user workflows
• Clear support for multi-tenant users, with consistent tenancy context across the platform
• A future-proof identity architecture that can evolve alongside policy and compliance requirements 

Why Rock Solid Knowledge

Rock Solid Knowledge brought deep expertise in OAuth, OpenID Connect, and real-world identity delivery. Its experience building and supporting production SSO platforms reduced delivery risk and ensured the solution balanced security, usability, and maintainability.

By focusing on compatibility, standards, and long-term operability, Rock Solid Knowledge delivered a solution that Illumify’s team could confidently own and extend.