Netflix Streams Secure, Seamless

Sign-on for Employees and Partners

Netflix is a streaming service that allows customers to watch award-winning TV shows, movies, documentaries and more on their connected devices.

The identity and access management (IAM) engineering team’s focus is to provide a seamless and secure login experience for their employees, partners, and studios, so that Netflix can in turn deliver their product to their customers. Netflix needed an extensible Identity platform to enable adaptive authentication for their users and allow developers to configure their own applications.

Netflix was encountering reliability issues with their previous cloud identity solution, which was affecting their employees’ ability to authenticate. The IAM team required a solution that would allow them to deploy in their own AWS cloud and that could meet an SLA of 99.9% uptime.

Netflix was also in transition from a perimeter based security architecture to a zero trust model inspired by Google’s Beyondcorp. This meant that identity defined micro-perimeters for users, devices and applications were critical. The goal was to enable adaptive access security for every application allowing users to connect from anywhere, no VPNs, no hard tokens.

In addition, they wanted to solve for the resource-intensive, time-consuming process of onboarding new applications. With around 40 SaaS apps and over 600 engineering, studio and customer service applications, the identity team was being bombarded with daily requests to add or make changes to connections. Engineers were also building unique identity stores and login experiences for individual apps. Over the years, the custom creation of policies and clients created incongruence across the organization.

It was also critical to Netflix that the identity company they selected would not only follow standards but actually act as a leader in driving those standards, so it could evolve with the organization over time.

Netflix first implemented Ping to provide single sign-on for the company’s employees and partners. Those identities exist across multiple IdP layers, and PingFederate bridges Netflix’s six Google domains and two partner directories.

Using the PingFederate SDK, Sr. Security Software Engineer Tejas Dharamshi then led the effort to build a self-service layer on top of PingFederate, which allows their engineers the complete freedom to configure applications, update redirects, and plug apps into the Netflix ecosystem on their own.

Today, Ping’s technology is a framework that the IAM team builds all of their identity services on. “We use Ping to extend where we want to take our pluggable identity solution. We can develop custom adapters and custom data stores on top of it. Because all of this can be achieved via API, it allows the organization to be extremely agile,” said Tejas Dharamshi.

PingFederate provides information that allows Netflix to achieve adaptive authentication based on factors like the sensitivity of the application or the device from which users are connecting. Whether it’s engineering, financial or corporate applications, all of Netflix’s apps are able to leverage three levels of adaptive authentication based on roles and user groups, access history and anomalies. At any point, step-up authentication ensures the right person gets access.

Netflix now provides employees and partners with a rich and seamless, UI-driven sign-on that balances both user experience and security.

As a result of the self-service tool powered by PingFederate, the IAM engineering team now fields little to no requests for client management, freeing up their time to work on other identity initiatives. Engineers are able to add and configure their own applications with only limited knowledge of the underlying identity infrastructure. “Because of the extensibility of the Ping platform, we were able to significantly boost the productivity of our engineering users and reduce the burden on the operations side,” said Jonathan Hurd, Identity and Access Engineering Manager.

Ping’s leadership in driving modern standards future-proofs Netflix’s identity program as it evolves.