No Salesforce License? No Problem: Building a Secure Email Resend Portal for Hotel Front Desk Staff
A guest walks up to a hotel front desk. They never received their booking confirmation. The front desk agent pulls up their screen — but they don’t have Salesforce access. They can’t trigger a resend. They raise a support ticket. The guest stands there waiting. It’s not a great experience.
This was the real-world problem a hospitality client brought to us. They had a robust Marketing Cloud setup with journeys for confirmation emails, pre-arrival messages, and post-stay follow-ups — all API-triggered via Salesforce CRM. The technical infrastructure worked. The access model didn’t.
The solution: a secure Marketing Cloud Cloud Page that gives front desk staff a simple portal to search for a guest and resend any email — without needing a single Salesforce or Marketing Cloud license.
Why Salesforce Licenses Aren’t the Answer
The first instinct is obvious: just give front desk staff Salesforce access. But a hotel chain with 20 properties and hundreds of front desk agents faces a cost and governance problem immediately. Salesforce licenses aren’t cheap, and more importantly, giving operational front desk staff access to the full CRM creates data exposure risk that most enterprise IT teams won’t approve.
What front desk staff actually need is extremely narrow: search for a guest, select an email type, press send. That’s a one-page tool — not a full CRM platform.
Architecture: What We Built
The solution has three components that work together: a Marketing Cloud Cloud Page as the front-end portal, Okta SSO for authentication, and existing Marketing Cloud API-triggered journeys as the email sending mechanism.
Component 1: The Cloud Page Portal
The Cloud Page is a single-page HTML/JavaScript application hosted natively on Marketing Cloud. It presents front desk staff with:
- A search field to look up a guest by email address or booking confirmation number.
- A results panel showing matching reservations.
- A selection of email types (Booking Confirmation, Pre-Arrival, Post-Stay, etc.) rendered as buttons.
- A send trigger that calls the existing Marketing Cloud journey API event.
The journeys themselves already existed and were already API-ready — built for Salesforce button triggers. The Cloud Page simply replaces the Salesforce button as the interface, calling the same underlying API.
JavaScript — Triggering the SFMC Journey API from the Cloud Page
// Call Marketing Cloud REST API to fire the journey event async function triggerEmail(subscriberKey, emailType) { const payload = { ContactKey: subscriberKey, EventDefinitionKey: `hotel_resend_${emailType}`, Data: { ResendTriggeredBy: "FrontDesk" } }; const response = await fetch( "/rest/journeys/v1/events", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(payload) } ); return response.ok; }
Component 2: Okta Single Sign-On
Securing a Cloud Page is non-trivial because they run entirely on the front end — there’s no server-side session management. We integrated Okta, which this client was already using across their property management system and other internal tools.
Okta provides an SDK package specifically compatible with Salesforce Marketing Cloud Pages. The flow is simple: a staff member visits the Cloud Page URL, they are redirected to the Okta login screen for a few seconds, and then they’re returned to the same Cloud Page URL with a valid session token. The URL doesn’t change from the user’s perspective.
Component 3: Security Controls
Beyond authentication, the Cloud Page included several security measures appropriate for a shared-device front desk environment:
Idle timeout — the session automatically expires after a defined period of inactivity. A staff member who walks away from the terminal won’t leave an open portal for the next person.
Role-limited provisioning — only staff members explicitly provisioned in Okta with access to this application could log in. The provisioning was managed by the client’s IT team using their existing Okta workflows.
No data storage — all guest lookups are real-time queries against Marketing Cloud Data Extensions. The Cloud Page itself stores nothing, so there’s no local data exposure risk.
Solution Summary
- Zero new Salesforce licenses — front desk staff never need CRM access.
- Uses existing journey infrastructure — journeys were already API-ready; no rebuild required.
- Okta SSO — staff use credentials they already have; no new accounts or passwords.
- Idle timeout — shared terminals are protected from unattended access.
- Scales freely — onboarding a new property means provisioning in Okta, not buying licenses.
- Business logic preserved — email types, journey logic, personalization all remain in Marketing Cloud where they belong.
Frequently Asked Questions
Yes — the journey API trigger requires a ContactKey that exists in Marketing Cloud. In most hospitality setups, guests are synced from the PMS into SFMC automatically at booking creation, so this is rarely an issue for any guest with an existing reservation.
In the implementation described here, staff select an email type (e.g., “Confirmation” or “Pre-Arrival”) which triggers the corresponding journey. The journey handles personalization and template selection. If you need staff to choose a specific previously-sent email, that requires extending the Cloud Page to query Individual Email Results (IER) records — which is an additional but feasible enhancement.
Okta is not the only option. Any SAML 2.0 or OAuth 2.0 compatible identity provider can be integrated with a Marketing Cloud Cloud Page in a similar pattern. Microsoft Azure AD, Google Workspace, and Auth0 all support this. Okta was used here because the client was already on it — the important principle is using an existing SSO provider rather than building custom authentication.
Marketing Cloud login gives access to the entire platform — all Data Extensions, all journeys, all contacts, all send logs. A Cloud Page portal exposes only the exact functionality the staff member needs, with no ability to accidentally modify journey logic, delete data, or access records outside their scope. For a front desk agent, that’s the right level of access.
Need to empower non-technical staff with Marketing Cloud capabilities?
Genetrix designs and builds custom Cloud Page portals, API-connected workflows, and SSO-secured tools that extend Marketing Cloud to any team — without licensing overhead. Let’s scope your use case.
