We’re evaluating authentication strategies for our partner portal in Infor SCM distribution management (IS 2022.2). Currently, we use API keys for partner access, but we’re considering moving to SSO for better security and user experience.
Our partner ecosystem includes 50+ distributors who need access to order status, inventory levels, and shipment tracking. Some partners have their own identity providers, while others use basic authentication systems. We’re weighing the trade-offs between SSO’s centralized identity management and API key’s simplicity.
What are your experiences with SSO versus API key authentication for partner portals? Specifically interested in perspectives on auditability, compliance requirements, and the operational overhead of managing either approach at scale.
API key simplicity is deceptive. Yes, it’s easy to implement, but the security risks are significant - keys get embedded in scripts, shared via email, and rarely rotated. We had a security incident where a former partner employee retained API access for months after leaving. SSO with proper federation eliminates this risk through centralized access control and automatic session management.
The hybrid approach is interesting. How do you handle the complexity of maintaining two authentication systems? Does it create confusion for partners or internal support teams? Also, what criteria do you use to decide which partners get SSO versus API keys?
Don’t underestimate the operational overhead of SSO. We spent six months onboarding partners to our SSO system - each requiring custom SAML configuration, testing, and support. For partners with technical capability, it’s worth it. But forcing SSO on smaller partners who lack IT resources creates friction and delays. Consider partner segmentation based on technical maturity.
SSO centralizes identity management beautifully, but you’ll face challenges with partners who lack mature IdP infrastructure. We implemented SAML SSO for our top 20 partners and kept API keys for smaller ones. The hybrid approach works well - SSO provides better audit trails and automatic deprovisioning when employees leave partner companies, while API keys serve partners without SSO capability.