Single sign on boosts TV Everywhere

Evidence is rolling in now that Single Sign On (SSO) boosts online viewing for pay TV operators by making it easier for subscribers to access content on connected devices without having to keep re-entering credentials. It is almost 30 years since SSO entered enterprise IT as a mechanism for giving staff access to all authorized services, applications and data wherever they were, as remote access over corporate wide area networks increased. In the case of broadcasting and pay TV it should have emerged with the first online extensions to legacy pay TV services, or TV Everywhere as it was called, but has taken a while to get going. As it happens it has taken a few of the big tech firms to push SSO into the online video world, actually helping out pay TV operators and broadcasters by enabling their subscribers to access their content on their connected devices.

Apple is now making the running with SSO, dragging broadcasters and operators along, but Adobe can be credited with some of the first moves by drawing on experience from the enterprise side with the advent of cloud services. Adobe added SSO support to its Creative Cloud for Enterprise in February 2015 using a technique called Federated IDs to allow users to access its desktop office productivity applications by logging on via a single credential such as user name and password, via their employer’s internal identity management system.

Federated identity is simply the process of extending trust across multiple organizations or services so that once users have been authenticated on one they can access another. This is usually enabled by having a trusted third party which confirms to each member of the trust federation that a given user has been securely authenticated.

SSO itself is a subset of federated identity management, since it also operates across multiple applications or services, but is confined to authentication rather than other aspects. Two protocols or languages have evolved for communicating within such a federated arrangement, Kerberos and the XML based Security Assertion Mark-up Language (SAML). Kerberos came first, developed at the Massachusetts Institute of Technology in the late 1980s, later evolving into a protocol for authenticating service requests between trusted hosts across the internet, or any untrusted network. As the only contender it was built into all the major operating systems, including Microsoft Windows, Apple OS X, FreeBSD and Linux. Under Kerberos, a ticket-granting ticket (TGT) is issued once the user credentials are provided. The TGT fetches service tickets for other applications the user requests access to, without any further need to re-enter credentials.

SAML was then developed over a decade later and brought more advanced features such as ability to convey information about users and what they are authorized to do, which meant it could work with DRM based delivery. Then under SSO distinctions can be made between rights on different devices even though the user has been authenticated on all of them. The second version SAML 2.0 is one of the main authentication protocols supported by Adobe Primetime.

Adobe however is also backing an open standard for SSO interoperability being promoted by CTAM, the Cable & Telecommunications Association for Marketing, but meanwhile the whole SSO field has itself been subject to familiar commercial forces that regard emergence of a common protocol or mechanism. Apple has weighed in by attempting to make SSO a killer feature across its iOS platform and exploit its strong market position to present itself as a universal aggregator of content on behalf of mobile users in particular.

Apple’s key move came just a year ago in December 2016 with the launch of SSO support, followed a week later by the long awaited “TV app” for discovering video content on iPhones and iPads. Apple was appealing to rights holders and pay TV operators to make their content available on iOS devices via an app to benefit from the huge exposure they would gain, focusing mainly in the US to begin with. Initial take up was slow with just 24 second tier providers coming on board, but then traction accelerated rapidly with 438 cable and satellite TV providers offering access to their services via an iOS app by September 2017. Again these are mostly small regional or local US operators providing the access via WatchTVEverywhere (wTVE), an authentication and authorization platform used widely, and which now supports Apple’s SSO.

Apple has hooked one or two bigger services, notably AT&T’s DirecTV Now, which is listed as a TV provider allowing SSO via the recent Apple TV iOS 11 update. Notable absentees include Comcast, Charter Spectrum, Verizon, AT&T U-verse and Google Fiber. Comcast is among those promoting CTAM, remembering that it was one of the launch customers for Adobe Primetime.

Consumers then are likely to be frustrated now by the competition between the big players just as they have in other areas such as browsers. The problem is that each of the major players wants to be the portal of choice that users sign on to. So apart from Apple we see Amazon’s Fire TV, Roku and others also incorporating SSO into their apps alongside integrated search, but this in turn relies on the other OTT providers all opening up their apps.

If an OTT player regards its aggregation as a differentiator or strategic objective, they have little incentive to open it up. This creates the paradox where everyone wants everyone else to open their apps, but don’t want to do so themselves. So while Apple of course can easily attract second tier providers whose interests are served by access to the huge iOS user base, it is struggling to attract the big players, just as it has to gain rights to premium content in the usual way. With SSO Apple in a sense has admitted it will not become a major rights holder itself and is aiming to gain further market share for iOS platforms through aggregation.

Meanwhile, broadcasters themselves are looking to adopt SSO as part of their strategies to maximize uptake of TV Everywhere. For this reason, SSO is a major component of the EBU (European Broadcasting Union) user personalization project called Peach, although as we reported last week this has been compromised by the EU’s decision to omit video content from its ban on geo-blocking within member states, giving in to pressure from major content houses. So while there is almost universal agreement that SSO is a good thing, the dream of being able to access all content a user is authorized for everywhere on all devices will continue for some time to be frustrated by politics and commercial forces.