Centrify for Web Applications

DirectControl's Integrated Support for Microsoft ADFS

Centrify DirectControl for Web Applications is the first solution that extends Microsoft's Active Directory Federation Service (ADFS) to web applications running on non-Microsoft platforms. With the Centrify solution, you can leverage Microsoft ADFS to provide secure, federated identity management for applications hosted on Apache and popular J2EE web servers, including Apache Tomcat, BEA WebLogic, IBM WebSphere and JBoss.

Microsoft ADFS is included as part of Microsoft Windows 2003 R2 Enterprise Edition. See Centrify's Support for Windows Server 2003 R2 for information on how we support other R2 interoperability features.

Microsoft + Centrify: The Quick, Cost-Effective Path to Cross-Platform Web SSO

By deploying Microsoft ADFS and Centrify DirectControl for Web Applications as your cross-platform federation solution, you immediately realize the following benefits:

  • Web SSO at a Fraction of the Cost. ADFS is included as part of Windows 2003 R2 Enterprise Edition. DirectControl for Web Applications is all you need for Active Directory-based federated identity management across a heterogeneous environment — at a cost far below older web SSO products that can run hundreds of thousands of dollars.
  • Simplified Architecture. Older web SSO products are built on a three-tier or n-tier architecture in order to synchronize account information held in their federation metadirectory with Active Directory. The ADFS federation server is tightly integrated with Active Directory — no metadirectories to maintain; no synchronization architectures to set up.
  • Quick Cross-Platform Deployment. By simply installing the DirectControl web SSO module, non-Microsoft web servers can interoperate with your ADFS federation server without the need for the time-consuming configuration and testing required by more complex web SSO products.
  • Streamlined Operations. Older synchronization-based products typically come with additional administrative interfaces for account maintenance and provisioning across heterogeneous systems. With account information held centrally in Active Directory, you can roll out your cross-platform federated identity solution and continue to rely on your current Active Directory-based tools and processes for day-to-day administration.
  • Enhanced regulatory compliance. DirectControl for Web Applications enables you to extend web SSO to a broad range of non-Microsoft server platforms while continuing to manage all role-based access rights centrally through Active Directory, which is critical to providing the full 360-degree view of users' access — not just to web applications (as older web SSO products do) but to the full range of Active Directory-controlled permissions for systems and applications as well.
  • Integrated identity management, access control and policy enforcement. Older web SSO products help secure the web application, but do not address the equally important need to secure the underlying operating system. The DirectControl Agent also integrates your UNIX and Linux systems with Active Directory to centrally manage administrative accounts and to enforce security and configuration policies through Active Directory Group Policy.

How DirectControl Extends the Reach of ADFS

Microsoft ADFS enables secure web single sign-on (SSO) for web applications in two distinct scenarios: for companies that want to provide employees of business partners with SSO to their portal applications; and for server farm-based consumer web sites that comprise multiple applications, each of which runs in its own security context. Centrify DirectControl for Web Applications provides the cross-platform solution in both these scenarios.

In both of these federated identity scenarios, the ADFS federation server can communicate only with a web application running on Microsoft IIS. As a component of its DirectControl suite, DirectControl for Web Applications provides a web SSO module that enables web applications running on non-Microsoft platforms to look and behave exactly like an IIS server to the ADFS federation server.

Just like Microsoft's SSO module on IIS, the DirectControl web SSO module you install on your web server performs two essential functions:

  • Authenticates access requests. The DirectControl web SSO module intercepts requests for protected web applications and contacts the Microsoft ADFS server that is designated to protect that application. When the security token and claims are returned, the DirectControl web SSO module determines if the token is valid and, if so, passes the user through to the application.
  • Sets the user's security context. Once a user has been authenticated, the DirectControl web SSO module also passes the associated claims to the application. The way DirectControl does this varies depending on the needs of the application.

    • For newer JSP applications that are claims-aware, the DirectControl web SSO module presents the claim as a set of APIs that are best suited for each platform; for example, as a JSP tag library for J2EE servers. The raw SAML (Security Assertion Markup Language) token is also passed to the application.
    • For traditional J2EE applications, the DirectControl web SSO module transforms the claims into a J2EE role for role-based access control.

Seamless Integration with ADFS

The DirectControl web SSO module seamlessly integrates a non-Microsoft web application into your ADFS infrastructure. Just install the DirectControl web SSO module on the server hosting the application and you're ready to go.

  • Administrators can use the same configuration tools regardless of which platform the web application is running on.
  • There is no impact on Active Directory; user accounts and permissions are enabled for access to the application in the same way they are normally for ADFS.
  • The web SSO module provides federated SSO out of the box with applications that support the host server's native security system; for example, J2EE form-based authentication and roles.
  • The user experience remains the same.

DirectControl Fills in the Rest of the Security Equation

Securing access to a web application is only part of the security equation. The underlying operating system also needs to be secure against unauthorized access. In addition to supporting ADFS, Centrify DirectControl for Systems also integrates the underlying UNIX or Linux operating system with Active Directory. You can centralize administrative accounts and privileges in Active Directory, and use Group Policy to enforce security and configuration policy. And DirectControl is the only Active Directory-based solution that enables you to create separate management groups (Zones) to give you granular administrative control and the ability to quickly integrate multiple UNIX/Linux profiles and identities into Active Directory.