Powering social good with a modern fundraising platform
Classy is a B Corp Certified social enterprise started by a group of friends who wanted to make it easier for nonprofits to have access to elegant fundraising technology that helped them reach new donors, raise more money and accelerate their impact. Today, the San Diego, California-based company has a full suite of world-class online fundraising tools that modernized that empowers communities all over the world with an easy, quick, and secure way to donate to nonprofit organizations.
Along the way, Classy has simplified campaign management for nonprofits of all sizes and causes, and facilitated the industry’s move to online fundraising. Today, the company serves 6,000 nonprofit partners and two million donors. Together, they have raised nearly $3 billion, with $1 billion raised in 2020 alone.
“The events of the past year, including the restrictions imposed by the pandemic along with movements for social justice, really validated the online fundraising model,” says Shantanu Bose, Vice President of Engineering at Classy.
The company offers nonprofits a platform for running enterprise-scale fundraising campaigns, including peer-to-peer, events, crowdfunding, recurring giving, and more. Classy developers design each feature in close partnership with the organizations they serve, evolving the platform in direct response to feedback and feature requests. “We are driven by a fierce determination to do the right thing for the customer,” says Bose.
Moving to modern customer identity
In 2019, demand was growing across the Classy platform as the larger nonprofit partners the company worked with were looking to increase donor engagement across channels, make it as easy as possible for people to contribute, and in that way increase fundraising.
For Classy, that meant extending authentication to social platforms such as Facebook and facilitating a seamless mobile experience. To make sure all that giving happened in a secure environment, Bose and his team needed to make sure they got customer identity right.
“As our organizations log into the system to access financial data, identity management is vital, to make sure we are surfacing the right data to the right user,” he says.
Classy employees have long accessed their work via Okta workforce identity solutions, but the product development team was using an in-house OAuth 2.0 login application for customer identity. As they looked at extending the Classy platform into various digital channels, they realized that their existing customer identity solution wasn’t up to the task.
“We couldn’t support a native mobile login experience,” says Stephen Hanson, software architect for Classy. “We could only support a single resource owner password grant flow, which doesn’t work easily on mobile devices.”
Because the team was working with a development partner to integrate with a mobile app that Classy wouldn’t control directly, they also wanted to make sure Classy retained full control of partner and donor data to ensure their privacy. That requirement added another layer of complexity to the mobile solution.
As the team increased their work with enterprise partners, they also saw a need to support inbound federated single sign-on (SSO). “Some of our larger partners who had their own SSO solutions wanted to extend them to include Classy,” says Hanson. Classy’s existing identity solution, however, didn’t offer support for modern global identity protocols, such as Security Assertion Markup Language (SAML) or OpenID Connect (OIDC). That failure kept Classy out of the running for some of the biggest deals.
To serve large organizations well, the Classy team also needed to build more flexible, customizable user experiences into its platform, giving customer administrators the ability to manage permissions and access across roles and regions. Team members across large organizations have different goals, for example, and may need access only to specific data. For security purposes, volunteers who need to see donor contact information should not also have access to their transaction history.
Choosing an identity partner for the long run
Given the growing list of customer identity requirements, the team quickly realized that building on their in-house system was not realistic. “Our solution was good enough when the company was smaller, but customer identity is foundational architecture that we needed to be able to scale,” says Bose.
“Our research into building that system ourselves showed a rapid decline into a complex space that was frankly not our domain,” he says. “We wanted to build fundraising tools and help nonprofit customers be more effective in their missions. Our job was not to build the best identity management solution on the market.”
The team turned their attention to identifying the right customer identity partner, evaluating Okta and several competitors. “We didn’t want to implement just another proprietary security framework,” says Hanson. “We needed a partner who could help us future-proof our development efforts.”
In the end, Classy’s success with Okta Workforce Identity gave them the confidence that they could expand to Customer Identity products during peak giving season—when the new mobile app would launch—without missing a beat.
Okta’s ability to easily federate with partner companies using standards-based authentication protocols also played a major role, allowing Classy to quickly scale to meet the demands of enterprise organizations.
The team was also intrigued by Okta’s support for multiple social authentication options. “We saw that if we integrated with Okta, we could get some of those other identity providers for free, out of the box,” says Hanson.
Both Hanson and Bose found Okta Customer First support remarkable. “We were supported by a very responsive Okta technical support team—brainstorming with us, coming to our office, hosting us in San Francisco, and whiteboarding with us on solutions,” says Bose. “We could see that Okta was going to be a responsive partner—in it for the long run, as opposed to being just a package-licensed solution with no post-implementation support.”
Setting up native mobile integration
The Classy team enlisted Okta implementation partner, BeyondID, to help craft their customer identity integration architecture. “BeyondID has been integral in our Okta journey, talking us through different options and approaches and ultimately helping us land on what would work best for Classy,” says Hanson.
The team began the Okta rollout using a phased approach, starting with their partner mobile application and integrating Okta customer identity solutions, including Okta Authentication, Okta User Management, and Okta API Access Management. The mobile app integration took about four months, driven primarily by the partner’s release timeline.
The team used the Okta-hosted login widget to create a “Login with Classy” button on the mobile app, which takes donors or partners to the Okta-hosted login page. “We set up a custom domain to route through the Classy.org domain, and that allowed us to customize the login widget experience,” says Hanson. “Beyond that, we have this mobile app configured inside of Okta as a native OIDC application.”
Classy is a multi-tenant platform, with layers of abstraction and authorization built in so that each user sees only the data they should have access to. As the team was integrating Okta, they created data security requirements for two separate sets of users on the Classy platform: nonprofit partner administrators, and individuals donating to causes they believe in.
“We extended our default authorization server and configured custom scopes at the application permissions level in Okta,” says Hanson. “That’s our first check. Then, it drops through to the fine-grained authorization piece, which decides if a user has access to a specific piece of data.”
The team is using Okta Lifecycle Management to streamline user profile management. “We’re managing our users and their credentials primarily on the Classy platform,” says Hanson. “As they’re created in Classy, we use Lifecycle Management APIs to sync login information to Okta.”
Hanson has been impressed with Okta’s reporting interface. Today the team has clearer insight into how people are logging in. For example, shortly after rollout the team could see that eight percent of users were already using social auth. “That’s actionable data that helps us make decisions about where to put resources,” he says. “It’s been a great lift for us.”
Because Classy already had Okta for workforce identity, it was a no-brainer to connect customer identity solutions. “We use Okta’s org-to-org SAML integration to federate identities between the two,” says Hanson. “Now our IT team with access to our Okta workforce tenant can configure access to our Okta customer identity tenants.”
A united effort—and a banner year for giving
In a striking act of confidence, the Classy team rolled out its new, Okta-powered mobile experience during the busiest week of 2019’s giving season. “It was really critical that we didn’t have any downtime on our platform,” says Hanson.
Classy’s dedicated Okta customer success manager followed the rollout closely, working with BeyondID and Okta support engineers to make sure rate limits would automatically increase when needed, so that no new or existing Classy user would run into a single obstacle.
“The fact that we rolled Okta Customer Identity out right in front of the giving season shows you how much trust we had that it was going to work,” says Bose.
By the time 2020 rolled around, with challenges that pushed nonprofit resources to the extreme, Classy had its new customer identity strategy well in hand. The strides the company had made in the online fundraising world helped organizations meet the crisis of a global pandemic with fundraising tools that were easy to use and easy to scale.
"In December 2020, Classy had an 84% increase in gross donation volume on the platform compared to 2019." says Bose. “Okta was a vital part of that success.”
Moving full speed toward unified identity
The Classy team is building on those victories in 2021, and Okta’s Customer First team continues to play a key role. For example, Hanson says, modern web browsers increasingly disable third-party cookies by default, a practice that presents a problem with session login access tokens.
“We reached out to Okta and found they were already working on a solution,” says Hanson. “It’s an early access feature, so we’re going through a proof of concept now.”
The Classy team is also working on inbound federation, so that enterprise partners can extend their SSO to include Classy. “Partnering with Okta, with the SAML and OIDC support we get out of the box—that will un-gate that functionality for us,” says Hanson.
The team has also started to use Okta for OAuth as they bring on new customers. They’re also moving their API authentication layer so that development partners log in to Okta to subscribe to Classy APIs, integrate with the company’s data, and build on the platform. “We’re moving that functionality over to Okta, so that Okta is our identity provider for everything.” he says.
Before long, all of Classy’s two million end users—from campaign administrators to development partners and individual donors—will log in via Okta to help make the world a better place.
About Classy
Classy is a B Corp Certified social enterprise that helps nonprofit organizations maximize their impact through a suite of world-class, online fundraising tools to accelerate social impact around the world. Based in San Diego, CA and trusted by organizations of all sizes, from the fastest-growing nonprofits to some of the world's largest social organizations, nonprofits use Classy’s platform to raise money, engage their communities, and advance their missions. Since 2011, Classy has powered tens of millions of donations from over 190 countries and raised nearly $3 billion for social good. Classy also hosts the Collaborative conference and the Classy Awards to spotlight the innovative work nonprofits are implementing around the globe.