Implementing Modern Identity for Production

Adding SCIM in Studio Enterprise and Production to Support Granular Permissions and Advanced Identity and Access Management
Riot Games

200

monthly active users

14,000

assets in the MAM

4 TB

of storage in the cloud repository

Summary

Riot Games was looking for an asset management system that could do more than centralize media assets in the cloud with standard perimeter security and Single Sign-on (SSO). They wanted a solution that would allow internal IT teams to manage media assets across multiple internal teams, with more centralized control of access and permissions at a granular level than usually permitted by standard SSO solutions. To meet those requirements, Riot Games worked with Sohonet to deploy the “Core” asset management solution with a layer of advanced identity and access management. The solution included both Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM) provisioning of all user accounts to enable the IT team to control security with granular, application-level roles and permissions.

This advanced capability created a middle layer of polices that allowed the mapping and easy onboarding of new users, with IT teams able to create and “push” accounts proactively into the identity management layer with pre-configured permissions. The capability abstracted the need for production-level personnel to understand and implement role-based security and allowed Riot Games to implement more advanced identity management and security policies across its cloud media store. This granular ability to control who has access and what level of access, together with the ability to revoke that access from a centralized IT system (i.e., Google Cloud Identity, Active Directory, HR systems, etc.) made the Sohonet Core implementation a strong example of a security solution that showcases the MovieLabs® 2030 Vision for enabling and provisioning users in cloud-based workflows.

MovieLabs 2030 Vision Principle 1
MovieLabs 2030 Vision Principle 6
MovieLabs 2030 Vision Principle 4
MovieLabs 2030 Vision Principle 7

Background

Riot Games is a successful and innovative gaming organization that recently expanded into the entertainment space with a new over-the-top animated series called Arcane.

Game companies are under constant cyberattack and as a result Riot has adopted a defense-in-depth security strategy. In early 2022 Riot Games sought an asset management solution to centralize, secure, and share approved digital assets across different internal teams, including integrated marketing, digital and social media, creative services, etc. They wanted an asset management system that could scale across multiple teams and use cases, starting with an asset library to centralize production assets approved for use by their internal “studio” teams. In addition to centralizing assets, additional goals included secure management of assets when viewing and sharing, improving collaboration for production teams, and simplifying access for business teams needing assets from the production itself.

The Riot Games IT and Content Security stakeholders required advanced provisioning and authorization of roles and permissions with a combination of identity and access management, including SAML support and SCIM provisioning of all user accounts. The Riot Games IT team wanted the ability to provision new users, assign permissions, and activate/deactivate users from their existing enterprise IDP system (Microsoft Active Directory) leveraging Okta as a bridge, without the need to perform those functions through the application interfaces of each solution in the IT environment. SCIM makes onboarding/offboarding users, especially large numbers of users hired for a new production, less labor-intensive with decreased risk of human error. It would also align with Riot Games’ goal of using automation and scale to streamline the onboarding and administration process.

Quick Primer On IDAM Technologies

IDAM or IAM (Identity and Access Management) is the overall category of identity management solutions for managing user identities and access to IT resources.

IDP (Identity Provider) is a subcategory of IAM solutions focused on managing core user identities. Also known as directory services, the IDP acts as the source of truth for authenticating user identities. This could be Google Cloud Identity, Microsoft Active Directory, Okta, or other commercially available solutions.

SSO (Single Sign-on) is a mechanism that allows users to access multiple applications or systems with one set of login credentials (such as username and password). Instead of having to remember separate login details for each application, users log in once and gain access to all the connected systems without needing to re-authenticate.

SAML (Security Assertion Markup Language) SSO allows users to access multiple web applications using one set of login credentials by transferring authentication data between the identity provider (IDP) and the service provider (SP) or web application.

SCIM (System for Cross-domain Identity Management) is a way to provision a user with rights and permissions across non-confederated systems where there is no single identity provider.

RBAC (Role-Based Access Control) is based on assigning permissions to users based on their role(s) within an organization rather than on an individual level.

To summarize this section, SAML is the protocol used to communicate with the IDP for authentication and authorization, while SCIM is used to automate user provisioning and de-provisioning from one IDP to another IDP.

Solution

Sohonet provided a centralized asset management platform (called Core) to manage assets stored in the customer’s cloud storage repository. Core created a private library for current production assets approved for sharing across studio business teams. The solution enables the Riot Games IT department to manage the user lifecycle from their existing identity management system, including provisioning access and user permissions at a granular level and using that granular capability to meet security requirements for all applications with access to protected intellectual property.

The asset library is accessible to users with different roles, and assets have different levels of visibility depending on the workflow and the user. Following the principle of least privilege, the roles and permissions are narrow in scope to mitigate security concerns. The Riot Games solution has key roles for invited users: an asset manager/uploader, a security gatekeeper (who approves asset requests), a library user (who browses the library and makes requests), as well as regular viewers and high sensitive viewers. Uploaders see only the assets they upload into the application. Library users view the library’s assets (marked with their own unique visual watermark) but must submit a download request for local access to identified assets. The security gatekeepers, primarily members of a content security group, either approve or deny download requests.

Prior to the Riot Games deployment, the standard Sohonet Core solution already had SAML and SSO support, but a key element of the Riot Games implementation was adding support for the SCIM (System for Cross-domain Identity Management) protocol. With SCIM support, the solution allows Riot Games IT personnel to:

  1. Centralize the provisioning of users through their existing IDP and push or “post” those changes to Core’s user management before the user logs in to Core.
  2. Assign user permissions for the Core application at the time of user creation before the user even logs into Core.
  3. Update or “patch” user permissions once (or delete/deactivate a user) and have those changes flow across all applications, including Core.
Sohonet Case Study Figure 1

Figure 1: SCIM Provisioning Process

Initially, Riot Games evaluated using Sohonet Core SSO without SCIM support. The advantages of standalone SSO include reducing the complexity of managing multiple identities per user and, on a practical level, meeting IDP security requirements by associating user accounts via email address. When the user logs into Core for the first time, the established policy would assign a no-permissions user role. The production or project owner would then assign the user a defined role by submitting an internal change request to the IT team to make the changes manually. The key disadvantage of SSO without SCIM was the need for the product and project owners to manage the user roles on the application end. If the project was onboarding large numbers of users (for a new production, for example), scalability would become an issue since onboarding could not be centralized, and managing the application was only one of the numerous responsibilities of the project owner. If 100 users were added to a project, and each user needed 5 permissions, the process would require hundreds of unique manual changes and manual notifications to each user of their permission changes. Adding SCIM to Core dramatically simplified and expedited the bulk provisioning of permissions when a new group of users is added to the system and bulk decommissioning when users are offboarded. When a new project is set up in Core, the provisioning of users begins with an admin request, and the program team onboards and assigns roles to all identified users automatically by relying on security group membership within the IDP, a process that scales much more easily. SCIM is used to provision accounts and permissions, but not to authenticate access requests. Authentication happens in real time via SAML. SCIM determines permissions based on IT-defined roles in the IDP, as determined by the owner and IT team together. User access can be revoked by the IT team if central control is needed or if the production teams are not available. As a production asset library available to the larger Riot Games studio, Core has users from marketing, creative services, and other teams that request access to the library. As soon as IT adds those users to pre-determined security groups in the IDP, the Core application appears automatically in the Okta tool suite of each user’s individual dashboard. As users leave the organization or no longer require access, the IT group can remove their product access quickly as part of the centralized offboarding process, and those changes will flow through to Core via SCIM.

Architecture

The key elements of the Core solution implemented for Riot Games include:

  1. A cloud-based centralized location for storage, packaging, and distribution of all assets.
    As a SaaS solution for production and digital asset management, Core includes modules for AWS S3 storage, AWS EC2 for compute, elastic search, redistribution, package management tools, and media handling of video, audio, stills, documents, and metadata.
  2. An asset management system in the cloud that enables multiple applications to interact with the assets in the centralized cloud-based storage.
    The Core application has backend APIs and a front-end UI for managing, collating, packaging, messaging, emailing, sending, and tracking activities by each internal and external customer. All aspects of the solution are hosted at AWS and offered as a managed service.
  3. A granular identity and permissions management system implementing both SAML and SCIM is used to configure employees’ roles and access permissions. The roles, together with role-based access control (RBAC), enable implementation of zero trust security policies.
    Core includes a centralized IDP database that allows for an unlimited number of roles and permissions via RBAC policy, allowing multiple users to have the same permission sets based on title and role within their organizational IDP, or alternatively, the same user to be in multiple security groups and have different sets of rights across different applications. In addition, more granular access controls could be set for individuals as needed. SAML is integrated between the Core IDP and Riot Games IDP for authentication and implements just-in-time user creation when that user is authenticated via SSO.
Sohonet Case Study Diagram 1
The Riot Games solution also implements SCIM to allow for proactive user creation and RBAC configuration via the SCIM updates, which are stored in the Core IDP. If a user attempts to sign in to Core via enterprise SSO for the first time and does not already have a Core account, the user account is created upon successful authentication. If that user’s access to applications has already been provisioned via SCIM, rights and permissions are provided upon authentication, and the corresponding RBAC permissions also are provided. The addition of the SCIM API allows user provisioning and administrative changes in Riot Games IDP to be carried out by Riot Games IT and automatically pushed to Core, including allowing users to be deprovisioned and even removed from the system remotely. The user data provided in the SCIM calls is mapped to user data in Core, including mapping user “groups” to “roles” within Core.
Sohonet Case Study Diagram 2
The solution enables the Riot Games IT team to define multiple security groups with different sets of permissions associated with each group. Those security groups are then mapped to a granular set of application permissions identified in the Core solution.
Sohonet Case Study Diagram 2
The Core solution is architected to offer a set of zero trust options to customers as an initial default. It then offers any number of additional options for automated provisioning through configuration of roles and mappings. In the case of Riot Games, the mappings between the options available in Core and the customer-defined security groups enable the Riot Games IT team to choose among the options to implement its own internal security requirements.

Benefits

Core provides Riot Games with a single source of truth for all categories of assets, from managing stock footage and reusable asset elements to capturing production assets for decision-making, historical reference, and reuse across business teams and future projects. It delivers a centralized environment for search, redistribution management, package management, and media handling of video, audio, stills, documents, and metadata. Uploading is easy so that users can share asset libraries across divisions, teams, or productions. Teams also can organize and tag key assets, enhancing searchability, findability, and reuse.

The Core application is hosted in the cloud alongside the Riot Games AWS cloud storage solution, minimizing the need to move metadata or assets into or out of the cloud.

Assets are protected through controlled access and customizable capabilities for visible and forensic watermarking across web and mobile consumption. Core leverage’s modern identity management practices and policies for controlled access. It enables single sign-on across domains, companies, social accounts, and Enterprise IDPs. The integration of single sign-on, coupled with Enterprise tools like SAML and SCIM, allows the centralized Riot Games IT team to ensure maximum protection for content at rest and when sharing.

The Sohonet Core solution gives Riot Games a granular set of options for identity and access management, both for SSO and for user provisioning using the new SCIM protocol support. These include:

  1. Multiple levels of default security to choose from:

    a fully trusted,

    b hybrid,

    c SSO only with no provisioning.

  2. More granular policy-based access control options that allow the IT department to assign user-level or group-level application permissions or a solution that implements user authentication only and shifts access to deep application-based rights management.

SCIM support in the Core solution enables centralized provisioning of user permissions, allowing the Riot Games IT team to scale onboarding and offboarding to meet the demands of hiring for new projects and productions. It allows Riot Games to choose among different options in the authentication process and the provisioning of user permissions across applications. If needed, it lets the centralized IT team revoke user access across applications or for specific assets or capabilities.

Sohonet Case Study Diagram 1
The IT team also can leverage its existing SSO solution without recreating users. It can add user identity fields from the IDP side, alleviating the need for the product owner to apply these changes within Core manually. SCIM support also provides the option to configure RBAC managed access using zero trust security policies, enabling the Riot Games IT department to manage both identity and security aspects of the user lifecycle from their existing identity management system.

Alignment with MovieLabs 2030 Vision Principles

PRINCIPLE 1

Production assets intended for internal sharing are ingested into Core where they are stored in AWS S3. The cloud repository serves as a single source of truth for all sharable production assets and a working archive library. Riot Games ingests new assets from on-premise storage like a SAN or NAS or other SaaS tools like Box.

MovieLabs 2030 Vision Principle 1

PRINCIPLE 4

The Riot Games living library is supported by a planned and mature metadata infrastructure intended to scale for growth. Riot Games applies tags and statuses to content to indicate approval, usage rights, or versions, and as a permission gate for visibility to library viewers.

MovieLabs 2030 Vision Principle 4

PRINCIPLE 6

All users within Core, including employees, contractors, vendors, etc., are provided a unique login and assigned specific roles based on job title or function. The roles define how the user can use the application, what files they can access or edit, whether they can download, and whom they can share with (if anyone). The combination of SAML and SCIM allows Riot Games IT to assign defined roles through the central IDP, avoiding manual assignment by an application admin. SCIM allows this action to be done automatically when a user is onboarded into the central IDP. It also can be done in bulk to streamline the onboarding and user management process for new productions or initiatives. Likewise, Riot Games IT admins can lock user accounts, change access, revoke part or all access, and then reactivate later as needed. SCIM does not preclude a Core admin from doing similar tasks locally but does streamline the workflow and enable a higher level of security. Audit trails across user role permissions, user profiles, and the files themselves provide information regarding who, when, how, and what occurred in a specific use or incident.

An important part of principle 6 is the mapping of a user’s identity in one system with their identity in another. The user’s identity in Core is linked with their identity in the Riot Games identity management system and by using SCIM, a user’s role can be pushed to control a user’s access permissions efficiently and consistently between the two systems. This is a solution to the real-world problem that user identity within a SaaS service is unrelated to identity in other systems.

MovieLabs 2030 Vision Principle 6

PRINCIPLE 7

The mapping of user identities enabled by SCIM also enables a higher level of security. That higher security takes the form of more granular options for directly assigning permission within Core. The Riot Games IT team is able to define multiple security groups with different sets of permissions associated with each group. Those security groups are then mapped to a granular set of application permissions identified in the Core solution. Every user of the Core solution then receives permissions and access defined by that mapping, which can be updated centrally by the IT team as needed. Essentially, the Core solution with SCIM offers centralized zero trust options to the Riot Games IT team, enabling Riot Games to choose among the options to implement its own internal security requirements.

MovieLabs 2030 Vision Principle 7

Lessons Learned

The typical path for setting up an enterprise-level SSO solution is:

  1. configure the application to talk to the identity provider via a connector like SAML,
  2. configure the application to use external user accounts vs locally created,
  3. map those accounts directly to permissions within the application.

Riot Games added a new facet with SCIM. For the Core team this meant assisting Riot Games IT in implementing the SCIM solution in line with the path for traditional SAML authentication. The primary lesson learned was that when implementing SCIM alongside SAML, it becomes a crucial partnership with the customer’s IT department to align on the plan and the data mappings before implementation rather than after. Additional mappings are expected to be added on an ongoing basis, but the communication structure should already be in place. While the SCIM data schema is well defined, Sohonet needed to work closely with the Riot Games IT team to make sure via rigorous testing that user data and the messaging from their IDP (Active Directory) was being mapped correctly into the corresponding Core user permission fields.

Next Steps

With the acquisition of The 5th Kind and the Core asset management solution, Sohonet is now in the process of adding SSO and IDAM (IDentity and Access Management) to the ClearView and FileRunner family of products along with Core in order to offer a single unified IDAM solution where the same user accounts can exist across all products. This will not entail a single permission (i.e., admin or coordinator) across all products but a policy-based solution that allows a user to have separate rights and permissions via IDP mappings and discrete policies within the various applications. Expanding the policy-based security capabilities will offer customers additional opportunities to implement zero trust solutions in their workflows.

MovieLabs Perspective

Managing users, especially in fluid environments like media production, where hundreds of team members can be onboarded and removed from projects in quick succession, remains a complex burden for teams responsible for ensuring the security of critical media assets. As more and more SaaS solutions and cloud workflows deploy before 2030, these challenges will only compound. The learnings from Sohonet on the implementation of Core for Riot Games is a great use case for anyone looking to automate the setup of users and their permissions in multiple applications simultaneously. While a single common production user ID that could be used by all media companies and applications doesn’t yet exist, Sohonet has demonstrated a way to manage user identity and authorizations efficiently across systems and organizations, as well as providing a roadmap for implementing zero trust permissions at a more granular level across different systems and applications. This sets an important milestone on the road to a cloud environment where users can work on the assets, applications, and tasks assigned to them in an entirely seamless and zero trust framework.

Get the Case Study

Download a free PDF of this case study