Solving Access at Scale: Single Sign-On (SSO)

PestPac is a leading field service platform serving the pest control industry.

Since 2016, customers have asked for a more secure way to log into PestPac (PP) and its mobile companion, PestPac Mobile (PPM)—as well as a more streamlined experience for accessing multiple integrated products.

Role

Product design manager

Team

PestPac team

Common services team, in collobration with their design manger

Mobile team

Problem / Challenge

As security standards evolved and the product ecosystem grew, the need for a seamless secure login became urgent. A Single Sign-On (SSO) solution was proposed to enhance security and simplify access across integrated products.

Objectives

  • Migrate desktop and mobile users to external centralized repository for credential management

  • Enable access to multiple integrated products through a single logi

  • Support third-party authentication for both desktop and mobile users

  • Establish a mechanism for enabling multi-factor authentication (MFA)

Given the scale—thousands of active users across 2,500+ businesses—a phased rollout was critical to prevent service disruptions.

This initiative required extensive cross-functional collaboration, involving more teams than any prior feature launch.   SSO was positioned to be a common service across the company’s portfolio, with PestPac leading the implementation.

Research / Discovery

“Are you guys going to be provide detailed documentation on how to allow our Google workspaces API access? We manage our own workspace and it can be a pain to try and figure out how to allow specific APIs?”  

- Customer question during focus group

Validating the Approach

To validate our direction and build early alignment, we held an advisory focus group with key customers. This session introduced the Single Sign-On (SSO) initiative, showcased proof-of-concept prototypes, and outlined the proposed phased rollout and authentication options.

Customers asked many questions about business impact, technical feasibility, and raised complex use cases that helped shape our implementation strategy. As part of the discussion, we polled attendees on whether an additional layer of security via Multi-Factor Authentication (MFA) was needed—and if so, for which user groups.

Response options included:

  • Admins with access to sensitive data (e.g., payment details)

  • Customer Service Reps (CSRs) managing scheduling

  • Field technicians

  • Other user types not previously identified

  • All users

SSO has initially been requested by enterprise customers, who represent the majority of the user base. The focus group confirmed that corporate federated authentication was the preferred solution. As a result, this became our first implementation priority, followed by support for WorkWave and social logins—better suited for mid-market and small business users.

Design: Login & Impersonation

Desktop login screen update in preparation for SSO changes.

Mobile login before (left) and after (right)

Impersonation visuals should be prominent, but not cut of any other informational messaging or page content.

The planned phases were further broken down into milestones to fit into the existing sprint cadence.

Login screen: Desktop

Previously, the login screen had three fields: company key, username, and password.

With the introduction of SSO, the login flow changed. The company key was separated from the main login form and used to determine the appropriate authentication method. Based on this key, users would be routed to their company’s selected authentication solution—whether federated login, WorkWave credentials, or social login.

This new login pattern was included in an early release to give users time to adjust before broader changes were rolled out.

Login screen: Mobile

The mobile companion app, PestPac Mobile (PPM), also required updates to support SSO. Unlike the desktop product, PPM followed a separate login flow and release schedule, presenting unique implementation challenges.

This milestone provided an opportunity to modernize the login screen and visually align it with other WorkWave mobile products, improving brand consistency across the mobile experience.

Impersonation mode

Support required the ability to impersonate users to troubleshoot access issues.  As the credentials were now being stored outside of the product environment, the approach to impersonating users also changed.  Screens were designed for both desktop and mobile to show when a user was being impersonated.

To support troubleshooting, the ability for internal teams to impersonate users remained critical. However, with credentials managed externally through SSO, our existing impersonation workflow needed to be rethought.

We designed new screens for both desktop and mobile that clearly indicated when a session was being impersonated.

This ensured transparency for end users and maintained security standards while allowing support teams to diagnose access issues effectively.

Design: Grace Period

Once SSO is enabled, both desktop and mobile products will offer a grace period during which users can choose to log in using either legacy credentials or the new authentication methods—WorkWave Authentication or supported social logins.

Flows: Multi-Factor Authentication

One of the most complex workflows involved a user pairing their device for MFA, using an authenticator app to get a code to use to login.

User Authentication Manager

UAM grid for corporate federated authenication

UAM grid for WorkWave Authentication grid

User Provisioning & Authentication Management

To support user provisioning throughout the SSO migration process, I designed a centralized User Authentication Manager (UAM) grid.

For companies using corporate federated authentication, the UAM grid allows administrators to:

  • View user verification status

  • Sync user email addresses

  • Update user information

For those using WorkWave Authentication, additional management capabilities are available, including:

  • Sending and resending user invitations

  • Resetting passwords

  • Enabling or disabling Multi-Factor Authentication (MFA)

To streamline the experience and eliminate redundancy, the password reset functionality—previously located within individual user profiles—was consolidated into this centralized interface.

Reflections / Next Steps

The project is currently in progress, with the first group of companies actively migrating to SSO. Full migration across the user base is expected to be completed by year-end.


Future phases will support:

  1. The ability to upgrade or downgrade by changing from between auth methods

  2. Global user deactivation & reactivation

  3. Advanced chart interactivity and filtering capabilities

  4. Multi-user selection for streamlined bulk actions

The rollout involved extensive cross-functional collaboration, redesign of login screens for both desktop and mobile, updating existing pages and the creation of a centralized User Authentication Manager (UAM) to support provisioning. The result was a flexible, forward-compatible authentication framework that improves security, supports business growth, and lays the foundation for future enhancements such as bulk actions, provisioning upgrades, and advanced admin controls.

Previous

Design System / Dark Mode