Salling Group’s Cloud IAM Journey: 6 Weeks, Big Lessons

Denmark’s Salling Group evolved from a small clothing and dry goods retailer in 1906 to an international retailing group that serves 12 million customers weekly. Salling, the largest retailing group in Denmark, has grocery stores in three countries, department stores, coffee shops, restaurants, and more. It impacts the lives of millions of people every day. Its goal is to make life easier for customers while providing the best shopping experience.

But making customers' lives easier takes some magic in the back office. Organizations as large and innovative as Salling need agile and secure IT systems that can react quickly to changing business requirements, scale as needed, and provide world-class security for users, systems, and critical data.

They also need to meet changing compliance and regulatory requirements—something Salling’s legacy identity and access management (IAM) systems could not do at an especially critical time.

“With the IAM legacy platform we had, we were not able to adhere to new compliance and legislation requirements,” said Jerome Thorstenson, Identity & Access Management Architect at Salling Group. “At the same time, our CEO had just announced that the company would open 300 new stores in three years, costing about half a billion Euros and growing the number of employees by at least 40,000.”

In short, the Salling Group needed a new IAM solution that met compliance requirements while supporting significant corporate growth and change. 

From on-prem legacy IAM to cutting-edge cloud IAM in six weeks

Unfortunately, a previous attempt at a “lift and shift” migration to a new on-premises IAM solution had failed, leaving the company with limited resources for a new approach. The challenge of implementing a new IAM solution was also compounded by Salling's need to do it quickly. Specifically, the company needed to have it in place in six weeks for the upcoming holiday retailing season starting with Black Friday.

With limited funding and minimal time, Thorstenson formed a three-person team to make it happen. Their first step to success was simplifying the project.

“We rescoped the project,” Thorstenson said. “We cut it down to the minimum viable product (MVP). Nothing was left to chance. Everything got revisited, including all the attributes of a user identity.” Anything that could be left to a later phase was.

Instead of trying another on-premises IAM solution, the team decided to move its IAM solution to the cloud using SailPoint Identity Security Cloud.

In conjunction with SailPoint, Salling created a six-week plan divided into four phases for rolling out the new SailPoint Identity Security Cloud solution. 

• Phase one was design and collaboration to define the MVP, coordinate with SailPoint, protect the project scope, and prepare the organization for change.
• Phase two was initial configurations and integrations.
• Phase three was testing and validation, which was critical because many existing systems lacked robust documentation.
• Phase four consisted of deployment and post-implementation support. This was where the team would fix unexpected problems and stabilize the production deployment.

Salling also used the opportunity to be the first to integrate with the company’s new HR system, SAP SuccessFactors HCM Suite.

“There was a steep learning curve in trying to extract all the employee data from SuccessFactors, but we did it with a lot of help from SailPoint,” said Thorstenson. “Luckily, they knew exactly what questions to ask our SAP team and HR architect.” 

Overcoming challenges and optimizing for scale

Once things were in place and tested, the team opted for a silent go-live to identify any initial bugs. After a week, it announced the new solution as live. Almost immediately, some issues popped up. For example, the organization’s size and the need to do nearly 2,500 off-boardings in the first week put a lot of pressure on its Microsoft Active Directory, causing it to crash.

By working with SAP, the team identified a workaround that solved the problem.

“We became best friends with the help desk because we knew other things would break; we just didn’t know what,” said Thorstenson. “Then it actually became pretty smooth sailing after that.”

The team initially created just nine roles since that’s what each of their retail stores has. Those nine roles ended up covering almost 2,000 of their stores. After that, the team started adding store-specific access roles.

“That’s where my team really got to shine,” said Thorstenson. “They started creating a lot of roles for individual stores so that we’ve become the authoritative source for over 60,000 employees, and we’re managing over 66,000 entitlements and close to 2,000 roles.”

Transformative results and the road ahead

While every company may not be able to move as rapidly as the Salling Group, the compelling results it has achieved so far from its rapid migration of its IAM from on-premises to the cloud have been impressive.

“Our onboarding time went from three or four days down to five to fifteen minutes,” said Thorstenson. “That’s a huge difference.”

The company has eliminated the technical debt from the legacy IAM system that was holding it back. “We’ve lifted our technology stack leap years ahead of where we were,” said Thorstenson. “With it, we’re planning to get our employee self-service portal up and running so people can actually start requesting roles.”

Key takeaways for a successful cloud IAM migration

After completing such a successful and quick migration to cloud-based IAM, Thorstenson has some recommendations for other companies:

• “Make sure your vendor knows it’s a long-term partnership, not just a ‘lift-and-shift’ exercise. They can help you enable your long-term roadmap.”
• “Don’t be afraid to say no. Saying no helps protect the project scope and enables you to deliver what you promised at budget and on time.”
• “Know your infrastructure and communicate to your stakeholders early and clearly. If you get your stakeholders on the journey, it will be an easy sell.”
• “Don’t overcomplicate your solutions or do any complicated customizations. Start with a minimum viable product to get your foundation right the first time.”
• “Don’t skimp on training. Not training your team on a new product is one of the biggest pain points I’ve seen.”

Strategic shift to cloud IAM enables transformative results

Salling Group's strategic shift to a cloud-based SaaS IAM solution enabled it to rapidly modernize its infrastructure and achieve tangible business outcomes. By embracing a focused MVP approach and committing to a collaborative partnership with SailPoint, Salling transformed its business, enabling it to overcome technical debt, improve compliance, and drive operational agility.