Background
A mid-size European e-commerce business — approximately 85 staff, operating across four EU markets — approached 47Network Studio with two separate but related problems. First: their authentication infrastructure was a patchwork of per-service logins with no SSO, no centralised session management, and no audit trail of admin actions. Second: their QA process was entirely manual, release cycles were long, and they had experienced three checkout flow regressions in the past year that reached production and cost measurable revenue.
They wanted both problems solved, ideally by a single partner who could see the connection between them. We brought in TestGate Studio for the QA workstream and delivered both engagements in parallel over a 14-week period.
The authentication problem
The client's internal tooling consisted of a warehouse management system, an order management platform, an analytics dashboard, an admin panel for their e-commerce backend, and a support ticket system — five separate products, five separate login flows, no shared session, no MFA enforcement, and no way to revoke access across all systems when a staff member left.
The compliance pressure was also real: GDPR audit requirements meant they needed to produce access logs showing which admin user accessed which customer data record and when. With their existing setup, this was impossible — individual systems had their own logs in incompatible formats, and some had no meaningful audit trail at all.
What we deployed
A Keycloak-based 47ID deployment serving as the single identity provider for all five internal systems. Each system was configured as an OIDC client with appropriate scopes — warehouse staff get warehouse access, support agents get support access, and no one gets admin panel access without an explicit role assignment. MFA was enforced platform-wide via TOTP, with hardware key support for the three staff members with admin-level access.
HashiCorp Vault was deployed alongside for secrets management — internal service API keys, database credentials, and third-party integration tokens were migrated out of environment variables and config files into Vault with dynamic short-lived credentials where the upstream APIs supported it.
The audit log stream from Keycloak — every login, logout, failed authentication, role change, and token issue — flows into a centralised append-only audit store. Exports for GDPR compliance requests can now be generated in minutes rather than requiring manual correlation across five systems.
The QA problem
TestGate Studio ran an initial QA audit in week one. The findings were unsurprising but useful to quantify: the client had no automated tests whatsoever, manual regression took 3–4 days before each release (and was still being skipped under time pressure), and the three checkout regressions had all been in flows that had seemed "obviously stable" and were therefore tested last and least thoroughly.
The audit identified five highest-risk flows: checkout (add to cart through payment confirmation), account creation and login, order status updates, discount code application, and the admin order management panel. These became the initial automation target.
What TestGate built
A Playwright-based E2E test suite covering all five critical flows, running against a staging environment on every PR. The checkout flow test was the most involved — it covers 23 distinct steps from product selection through payment gateway integration through order confirmation email delivery, using a test payment gateway integration that mirrors the production Stripe setup without processing real transactions.
API-layer tests (Postman collections running in Newman) cover the order management API, discount code validation logic, and inventory availability checks independently of the frontend — catching API regressions that E2E tests might miss if the frontend error handling masks them. Performance tests (k6) run on a weekly schedule against the staging environment to catch degradation in checkout latency before it reaches production.
The CI pipeline gates on both the Playwright suite and the API tests. A failing checkout test blocks the PR merge — there's no way to merge a change that breaks checkout without explicitly overriding the gate, which requires a named approver and is logged.
Integration between the two workstreams
The auth and QA workstreams intersected more than expected. The E2E tests needed to authenticate as different user roles — a regular customer, a logged-in admin, a support agent — and the 47ID deployment made this clean: test users are created in a dedicated test realm, tokens are issued programmatically, and test sessions are fully isolated from production auth state.
The access audit log also fed into the QA process in an unexpected way: during exploratory testing, TestGate identified an auth flow where a session token remained valid for 90 minutes after an explicit logout event. The Keycloak audit log made this immediately visible — the token issue timestamp and the logout timestamp were both present, with the gap between them. The fix was a session invalidation improvement deployed within 48 hours of discovery.
The client now runs monthly exploratory testing sprints via TestGate Studio as a retainer arrangement. The structured test suite handles regression; the exploratory sprints find the edge cases the structured tests weren't written to find.
Handover
Both workstreams delivered full documentation: runbooks for the Keycloak and Vault deployment, a test strategy document, coverage maps showing which flows are covered by which test types, and a 90-day post-deployment support window. The client's engineering team can now add new test cases independently — TestGate ran two training sessions on the Playwright suite and Postman collection structure.
"We had two separate problems — broken auth and broken QA — and assumed we needed two separate engagements. 47Network Studio solved them together in 14 weeks. The Keycloak deployment alone saved us more time in onboarding than the entire engagement cost."
— Head of Engineering, Confidential E-Commerce Client (Central Europe)Delivery timeline
Full audit of five internal tools, authentication gap analysis, QA process review. Architecture proposal for 47ID SSO and test suite structure signed off end of week 2.
Keycloak cluster provisioned, OIDC/SAML adapters configured for all five tools, HashiCorp Vault deployed for secrets management. MFA enforced for all admin accounts.
TestGate Studio delivered 87 Playwright E2E, API, and k6 performance tests across checkout, auth, orders, and discounts. GitHub Actions CI/CD gate live at week 9.
85 staff migrated to SSO in two cohorts. Vault audit log configured for GDPR compliance. All hardcoded secrets replaced. Security review and penetration test by client's auditor.
Runbook delivery, admin training sessions (both teams), 30-day stabilisation period. Zero incidents post-handover. Client team independently onboarded two new internal tools within 60 days.
Six months after handover the client had extended automated coverage to two new product lines and promoted their senior QA engineer to Head of Engineering — a role that hadn't existed before the engagement.