Cambridge University Press - Single Sign-On for 100M Global Users
Modernized authentication infrastructure for academic publishing platform serving 100 million users worldwide with 4 billion documents across public and private realms.
Project Goals
Modernize legacy single sign-on system to support 100 million users across multiple authentication realms, deliver real-time monitoring and operational tools for platform serving 4 billion documents, ensure zero downtime during migration of critical academic infrastructure, and support both public access and institutional subscriptions with unified authentication.
The Problem
Cambridge University Press runs one of the world's largest academic publishing platforms. 100 million users. 4 billion documents. Students and researchers worldwide depending on it.
Their authentication system was showing its age.
The old single sign-on couldn't scale. Multiple authentication methods that didn't play well together. No unified view for operations teams. And the complexity: public users, institutional subscriptions, federated university logins—all needing different treatment.
Oh, and downtime? Not an option. Try explaining to a PhD student why they can't access research papers the night before their thesis is due.
The Challenge
This wasn't just swapping out login forms. Cambridge University Press had authentication complexity that would make most SaaS platforms look simple:
Public users creating free accounts. Individual subscribers paying for access. Entire universities with site licenses. Federated login from campus systems. API access for third-party integrations.
Each one needed different authentication flows. All of them needed to work seamlessly together.
And the timeline constraint: No downtime windows. Students use the platform 24/7 across every timezone. Academic calendars don't have "quiet periods."
What We Built
We modernized the entire authentication infrastructure while maintaining 100% uptime. Zero service interruptions. Zero lost sessions. Business as usual from the user perspective.
The New SSO System
Built a centralized identity provider supporting every authentication method Cambridge needed:
Traditional username/password for direct users. OAuth and SAML for federated institutions. Token-based authentication for APIs. Single sign-on across the entire product family.
All managed through one system instead of disconnected pieces.
Realm Unification
The platform had multiple "realms"—different user populations with different access patterns.
Public realm: Open access to free content. Registration for personalization. Trial access to premium content.
Private realm: Institutional access through university subscriptions. IP-based authentication. Federated login from campus systems. License enforcement.
We unified them under one authentication layer. Users could move between realms seamlessly. Consistent experience everywhere.
Federation at Scale
Hundreds of universities worldwide. Each with their own identity systems. Each wanting federated login so students use their campus credentials.
We built SAML integration that scaled:
Metadata management for institutions. Automated onboarding processes. Support for different federation standards. Failover when institutional systems went down.
Every university integration is unique. We built systems that made unique integrations manageable.
Global Infrastructure
100 million users don't live in one place. They're everywhere.
We distributed authentication infrastructure globally:
Regional servers reducing latency. Database replication for fast reads. Caching for frequently accessed data. Geographic routing sending users to nearby servers.
Students in Tokyo shouldn't authenticate through servers in London. They don't anymore.
The Migration
You don't migrate 100 million users overnight.
We ran old and new systems in parallel. Dual-write to both during transition. Gradually moved user populations to new infrastructure.
Started with low-risk segments. Monitored everything. Rolled out region by region. Feature flags controlling exactly who used what.
If something went wrong, instant rollback. It never did.
Result: Zero downtime throughout the entire migration.
Operational Tools
Built real-time monitoring and operational tools for the team managing the platform:
Dashboards showing authentication success rates by region. Login latency metrics. Active sessions. Error patterns. Usage by institution.
Support teams could diagnose problems in seconds instead of hours:
User can't log in? Look up their account, see their authentication history, identify the issue immediately.
University reporting access issues? Check their usage patterns, verify their federation setup, spot the problem.
Operations went from reactive to proactive. Problems caught before users noticed.
The Results
100 million users supported globally. Every authentication method. Every region. All working.
4 billion documents accessible. The content was always there. Now authentication never gets in the way of accessing it.
Zero downtime during migration. Not one minute of service interruption. Mission-critical academic infrastructure stayed mission-critical.
99.9%+ authentication success rate. Users log in. It works. Every time.
Support tickets decreased 60%. Better monitoring meant problems got fixed before users contacted support.
Authentication latency reduced 40%. Global distribution and caching made logins faster everywhere.
What We Learned
Dual-run migration enables zero downtime. Running old and new systems in parallel costs more infrastructure. But for mission-critical systems where downtime isn't acceptable, it's the only way.
Gradual traffic shifting. Instant rollback capability. Production validation at every step.
Monitoring is a product feature. Real-time operational tools weren't just for the ops team. They improved user experience by enabling faster problem resolution.
When support teams can diagnose issues in seconds, users get help faster.
Authentication complexity scales with business complexity. Cambridge's authentication wasn't complicated for fun. Public users, institutional subscribers, federated login—each solved a real business need.
The technical challenge was making all that complexity work together seamlessly.
Federation requires patience. Every university is different. Different systems. Different standards. Different timelines. Different bureaucratic processes.
You can't standardize it away. You build systems that handle the diversity gracefully.
Global scale requires regional thinking. Centralized authentication from one data center doesn't work when users are everywhere.
Geographic distribution isn't optional at this scale. It's the difference between acceptable and great user experience.
Cambridge University Press supports education worldwide. Their authentication infrastructure finally matched that scope.
Need enterprise SSO implementation or platform modernization? Let's talk →
See more infrastructure transformations View case studies →