Executive summary
In this Managed by CST case study, learn how the Connecticut MSP uncovered a costly configuration mismatch and used ZeroTek to migrate a complex, 1,000-user healthcare environment — in just a few hours, without a single disruption.
When Managed by CST‘s largest client, a rapidly growing medical services organization, was approaching the end of a multi-year Okta contract, the Connecticut MSP saw more than a renewal on the table. With ZeroTek’s help, they recognized that the client’s environment had been configured at a tier their compliance obligations didn’t require. The right path forward was a migration to a standard Okta deployment, delivered through ZeroTek, eliminating unnecessary overhead and replacing a locked, multi-year upfront commitment with a flexible monthly consumption model.
The migration itself was technically demanding: 25-plus applications, Microsoft 365 domain federation, Chromebook and workstation authentication, and a clinical workforce where operational continuity during clinic hours was critical. Managed by CST executed the entire cutover in a few hours that evening — and when staff clocked in the next morning, their access experience was identical: the same seamless, secure Okta authentication they’d depended on for years.
“The client CIO asked me, ‘Are you sure you can do this, John?’ We’d planned every detail. In a few hours, it was done — and the next morning, the help desk was quiet.”
– John Minickene,
Partner | CIO & CTO,
Managed by CST
Built on accountability
ZeroTek makes it easy for Managed Service Providers (MSPs) to resell, deploy, and manage Okta’s enterprise-class Identity and Access Management (IAM) from a multi-tenant single dashboard.
For over 30 years, Managed by CST has been Connecticut’s go-to MSP for small and mid-sized businesses — serving clients from 10 to 2,000 users across industries, from a base in Wallingford, CT. “Our clients have called us ‘their IT team’ for decades,” says John Minickene, Partner and CIO/CTO at Managed by CST. “We’re not a vendor they call when something breaks — we’re accountable for the whole thing.” When they saw a smarter path for one of their clients, that accountability meant being prepared to take on whatever it would require to get there.
Identity at scale: building Okta for a high-growth healthcare organization
The story begins four years ago, when one of Managed by CST’s largest clients — a medical services company expanding rapidly across multiple states — was onboarding new staff by the week. Most of their workforce was remote. They had Chromebooks, iPads, Windows workstations, and Mac devices in the mix. And they had a critical gap: no identity provider, inconsistent MFA coverage across their applications, and no reliable process for onboarding and offboarding at speed.
“They had some real weaknesses,” recalls Minickene. “MFA wasn’t enabled across all of their applications, including their EHR platform. We knew where the gaps were, and we needed to solve them.”
“What really drove the bus to Okta were the workflows, the onboarding and offboarding, and the SSO integrations.”
After evaluating their options — including Duo and leveraging Google SAML for what it could cover — the full capabilities of the Okta platform stood out. “What really drove the bus to Okta,” says Minickene, “were the workflows, the onboarding and offboarding, and the single sign-on integrations. Getting a tight integration across everything, that’s what made the decision.”
The client worked directly with Okta and an implementation partner to build the environment. CST was the technical team on the ground, and Minickene made a mental note about a newer option he’d heard of: ZeroTek.
Catching — and correcting — a costly configuration mismatch
The initial deployment was built around an Okta HIPAA Cell — a configuration designed for organizations that store protected health information directly within the Okta platform itself. In this client’s environment, however, patient data lived in their applications. Okta was the identity layer controlling access to those applications; it wasn’t the system storing the data.
It became clear through conversations Minickene began having with ZeroTek. “I asked them: do you have healthcare companies and medical facilities getting Okta through your platform?” he recalls. “And ZeroTek said yes, a lot of them. Because those organizations don’t store patient data in Okta. The applications store the data. Okta is what sits in front of those applications to control and secure access to them. That was the key thing.”
Once that distinction was clear, a new path opened up. When the client’s multi-year contract came up for renewal, at a point when the organization had also experienced some contraction after its high-growth period, Minickene brought ZeroTek back into the picture. The case was straightforward: migrate to standard Okta through ZeroTek, right-size the configuration to what the client needed, and trade a locked, upfront multi-year commitment for a flexible monthly consumption model.
“People like a consumption model,” says Minickene. “I hate getting caught in a three-year agreement, especially when your user count can swing in either direction. Nobody wants to sign for 800 users, pay it all upfront, and one day find their world has changed.”
“I hate getting caught in a three-year agreement. Nobody wants to sign for 800 users and pay it all upfront, then find out the world has changed.”
A meticulous off-hours cutover followed by a quiet morning help desk
The business case was clear. The migration, however, was a different level of challenge entirely. Moving a fully operational, 1,000-user environment — including Microsoft 365 domain federation, a UKG HR system integration, 25+ application SAML configurations, Chromebook authentication, and TecMFA on workstations — with minimal downtime required planning that left nothing to chance. For a healthcare organization, the window was especially tight: clinical staff needed the system fully functional right up until the cutover began, and fully operational again by morning.
“I knew what it had taken to build this environment the first time,” says Minickene. “Six months, from zero to fully operational. The idea of migrating it in a single overnight window, I was like, how on earth are we going to pull this off?”
“ZeroTek’s Technical Support gives you a sense of calm. If they don’t know something, they solve it — and there isn’t much they don’t know.”
The answer was meticulous preparation and a close working partnership with ZeroTek’s Technical Services team. “They had the entire process mapped out,” Minickene recalls. “We ran both platforms in parallel for a long time, piecing the new configuration together while everything was still live on the old one. And then we had our cutover night.” Every application was re-SAML’d. The Microsoft 365 domain was re-federated. Chromebook authentication was swapped. Workstation TecMFA was re-provisioned.
“ZeroTek’s Technical Support gives you a sense of calm,” says Minickene. “Everything about how they operate tells you: this is going to be fine. If they don’t know something, they solve it — and there isn’t much they don’t know.”
The cutover window started after 8PM, timed carefully around the client’s scheduling needs, since clinical appointments were running until the evening. A few hours later, every user was in.
A few weeks later, Minickene stopped by to see the CIO, standard practice after a migration of that scale. “I asked him how the transition had gone,” he recalls. “He looked at me like, ‘What do you mean?’ Things had gone so smoothly there was nothing to report,” Minickene laughs. ‘That’s exactly how I wanted it to go. When you plan it right and you’ve got the right team behind you, a complex migration should be completely invisible to the people on the other side of it. That’s what we delivered.”
“They’re 85 to 90% ready before they even start. Device in hand, access ready to go — from day one.”
Provisioning before the paperwork is done
The migration is the headline, but what Managed by CST has built on top of Okta demonstrates the depth of their approach to identity management. One of the most operationally meaningful pieces is a pre-onboarding workflow that uses the client’s HRIS as the authoritative source of truth for provisioning.
“When you hire somebody, there’s often a gap between when they accept an offer and when they complete their HR paperwork,” explains Minickene. “Sometimes that paperwork doesn’t get done until a day or two before the start date, which means you’re scrambling to provision a device, configure access, and get them set up.”
The migration is the headline, but what Managed by CST has built on top of Okta demonstrates the depth of their approach to identity management. One of the most operationally meaningful pieces is a pre-onboarding workflow that uses the client’s HRIS as the authoritative source of truth for provisioning.
“When you hire somebody, there’s often a gap between when they accept an offer and when they complete their HR paperwork,” explains Minickene. “Sometimes that paperwork doesn’t get done until a day or two before the start date, which means you’re scrambling to provision a device, configure access, and get them set up.”
CST solved this by configuring an HRIS report that flags candidates who have accepted an offer but haven’t yet completed their onboarding documentation. That early signal triggers a provisioning routine in Okta: the account is configured, groups and application access are assigned, and a device is provisioned and shipped, all before the new employee officially exists in the HR system.
“They’re 85 to 90% ready before they even start,” says Minickene. “Not yet active, but done. Then the moment they complete their paperwork and their record moves into the live HR system, they’re live. Device in hand, access ready to go — from day one.”
For a largely remote, rapidly growing workforce, this eliminated the last-minute scramble that had previously been a persistent pain point — and it reflects Minickene’s broader view of what best-in-class IT operations should look like. “If your onboarding is disorganized,” he says, “what does the rest of the company look like?”
“It’s not easy to find a software partner that actually does what they say they’re going to do. I hold myself to that standard for my clients. I couldn’t be happier with this partnership.”
A partnership built on doing what you say
For Minickene, ZeroTek has delivered something that’s genuinely difficult to find in the MSP vendor ecosystem.
“I’ve been in this industry for a long time,” he says. “It’s not easy to find a software partner that actually does what they say they’re going to do. I hold myself to that standard for my clients, so it means something to find a partner holding themselves to the same standard. I couldn’t be happier with this partnership.”
That satisfaction includes ZeroTek’s support model. Prior to working with ZeroTek, Managed by CST had no direct support relationship with Okta. ZeroTek changed that, giving CST access to a responsive, knowledgeable team of Okta experts whenever they need to move fast or solve something unfamiliar.
“With ZeroTek we have a team that’s ready, willing, and able to help,” says Minickene. “When my lead engineer was on paternity leave and I had to lean on ZeroTek Support, they were there. That kind of backup matters.”
For Minickene, ZeroTek has delivered something that’s genuinely difficult to find in the MSP vendor ecosystem.
“I’ve been in this industry for a long time,” he says. “It’s not easy to find a software partner that actually does what they say they’re going to do. I hold myself to that standard for my clients, so it means something to find a partner holding themselves to the same standard. I couldn’t be happier with this partnership.”
That satisfaction includes ZeroTek’s support model. Prior to working with ZeroTek, Managed by CST had no direct support relationship with Okta. ZeroTek changed that, giving CST access to a responsive, knowledgeable team of Okta experts whenever they need to move fast or solve something unfamiliar.
“With ZeroTek we have a team that’s ready, willing, and able to help,” says Minickene. “When my lead engineer was on paternity leave and I had to lean on ZeroTek Support, they were there. That kind of backup matters.”
Looking ahead, Managed by CST is already scoping the next build-out for this client: integrating Okta-backed authentication into physical access control. The plan is to tie RFID building entry and workstation login to Okta on the back end, with the HRIS as the source of truth. When someone is terminated in the HRIS, their access to the building and the network disappears simultaneously.
“They get turned off in the HRIS, they can’t get through the door and they can’t get on the network,” says Minickene. “That’s the vision. And if somebody calls us and they’re a medical facility that realizes they don’t need an Okta HIPAA cell after all, we’ve done this migration. We know exactly how to get them where they need to be.”
