Wednesday, October 14, 2015

Innovating SSO with Google For Work

The modern workforce deserves access to technology that will help them work the way they want to in this increasingly mobile world. When Netflix moved to Google Apps, employees and contractors quickly adopted the Google experience, from signing into Gmail, to saving files on Drive, to creating and sharing documents. They are now so accustomed to the Google Apps login flow, down to the two-factor authentication, that we wanted to make Google their central sign on service for all cloud apps, not just Google Apps for Work or apps in the Google Apps Marketplace.  

A growing number of companies like us are looking to Google Apps for Work to be their central sign on service for good reason. Google gives today's highly mobile workforces access to all the cloud applications they need to do their jobs from anywhere on any device, all with a familiar and trusted user experience.

Netflix has a complex workforce environment with more than 400 cloud applications, many of which were custom-built for specific use cases unique to our business. This was part of the challenge we came up against in making Google Apps for Work a truly universal SSO solution. Also, Google provides the key components foundational to a secure central access point for employees and contractors to access cloud apps, but we needed more granular contextual control over who could access the apps. For example, someone in the marketing department doesn’t always need to use an app that’s built specifically for the finance department.

The second challenge was that we needed it to be as straightforward as possible to deploy apps across the organization without making developers jump through unnecessary hoops just to get them onto the single sign-on environment. For this we built libraries supporting all common programming languages used at Netflix.

At Netflix, the security context from application to application is quite complex. Google is focused on providing business critical solutions like serving as the central secure access point for cloud apps, while also providing infrastructure for these services like the identity directory. We trust Google to play this foundational role, but wouldn’t expect it to meet unique needs that fall between the directory and the login for every one of its customers.

We decided to bring in Ping Identity to fill these gaps. Ping’s Identity Defined Security platform serves as the glue that enables our workforce to have seamless and secure access to the additional apps and services needed while giving our IT team the control over securing application access that we need. Ping also helps us empower developers to build and deploy new apps based on standards so the workforce can use them securely, quickly and easily in this single sign-on environment.

No cutting edge SSO solution is made up of just one component. We have packaged ours, and run the non-SaaS components in AWS architected for high availability and performance like any other Netflix service. Our employees, contractors, and application owners consume a true IDaaS solution. We have built it in such a way that as the Identity landscape continues to improve, we can add or remove pieces from the authentication chain without being disruptive to users.

We’ve been working closely with Eric Sachs and Google’s identity team as well as Ping Identity’s CTO office to make this into a reality. I will talk about our experience with Google and Ping Identity tomorrow at Identify 2015 in New York, on October 21 in San Francisco, and on November 18 in London. My colleague, Google’s Product Management Director for Identity, Eric Sachs, will also be at these events to discuss how these same standards can be used in work and consumer-facing identity systems. If you’re interested in the Identity space, and would like to discuss in more depth what we have done, please reach out to me. Also feel free to look at our job postings in this space here.