Tom Kemp's Centrify Blog

SaaS Single Sign-on in Action

Tuesday, March 12, 2013

Recently Centrify announced the general availability of Centrify for Mobile 2013 and Centrify for SaaS 2013, a set of integrated capabilities enabled by the Centrify Cloud Service platform that delivers secure, enterprise-class mobility management with integrated cloud and SaaS Single Sign-on (SSO) to improve security and increase workforce productivity in the enterprise. In this blog post I want to walk you through single sign-on capabilities from an end user perspective.

SSO from a PC or Mac

Let's first look at it from a user using a PC or Mac. Centrify provides the MyCentrify web portal where a user can view the SaaS apps that their role allows them to access (an admin can easily map roles to Active Directory groups and/or users that in turn determines app access) and a single click (in effect, 'zero sign-on') lets them access the web-based app. Here is an example of the MyCentrify portal that a user would see:

A click of say the SalesForce icon launches in a new tab an authenticated session into Salesforce. We leverage standards such as SAML, OAuth, OpenID, etc. to make that happen, but also support apps that don't support a SSO protocol (i.e. we can wallet the user's password in our secure cloud) or even support apps where you have a shared account and don't want to share the password.

[Note if you don't want to use our MyCentrify portal to launch and authenticate to web applications, a user can create bookmarks or desktop shortcuts for those specific apps. And because our solution supports integrated Windows authentication, if the user already has a valid Kerberos ticket when they logged onto their PC or Mac (our Centrify for Mac does a great job of that), they can silently authenticate to the portal and not even have to log onto the portal or the bookmark etc.]

And because this is a BYOD world, we also want to allow the users to also manage their devices from within the MyCentrify portal, e.g. to locate their device if they misplaced.

Stay tuned as we look to extend this MyDevices feature beyond smartphones and tablets to other devices that users own!

Finally for users using a PC that want to access SaaS apps like Office 365 that have rich client apps (e.g. Outlook), the user experience from a PC is simply double-click on the app and you silently connect (again 'zero sign-on'), so there is no need to even fire up the MyCentrify portal or even deploy a federation service such as Active Directory Federation Services (ADFS). I will talk about our Office 365 support in a future blog.

[Note this silent authentication capability for SaaS apps that have rich (or thick) apps is quite analogous to our Kerberos support for on-premise systems and applications, e.g. Centrify can deliver silent Active Directory-based authentication from PC-based client apps such SAPgui (the thick client to SAP Netweaver) and PuTTY (a SSH client to SSH into a Linux or UNIX box) or support SMB from say a Mac to access a Windows file server or a Samba server running Linux.]

SSO from a Mobile Device

Much like we have a MyCentrify portal that is accessed from a web browser, for mobile devices we have a native MyCentrify app that supports both iOS and Android. Again this enables one-click 'zero sign-on' to websites, thereby providing a consistent user experience across all devices. All a user would have to on this device below is launch our app, click on Salesforce or Postini etc. and silently authenticate to that website.

But what about support for native or rich mobile apps? i.e. can Centrify give users that great 'zero sign-on' experience, as who has time for typing in a username and password on a smartphone while on the go?

The answer is Yes and that's where our Mobile Authentication Services (MAS) comes into play. IT organizations can support our MAS SDK with their own internal mobile apps or take advantage of the fact that a growing list of vendors are supporting our Mobile Authentication Services capability to enable one-click zero sign-on access. Check out this YouTube video starting at 30 seconds into it to see the SSO experience we can give you for the Box.net rich mobile app that supports our MAS SDK (this was filmed at Mobile World Congress where we announced our Samsung OEM partnership).

KNOX Explained: Laptop Magazine interviews Centrify's David McNeely at Mobile World Congress in Barcelona.

Net net Centrify has the SSO and zero sign-on experience covered be it (a) from inside the firewall from a Windows, Mac or Linux client talking to an on-premise app such as SAP or even SSH'ing into a Linux server; (b) from a PC or Mac to a cloud/SaaS-based application; or (c) from a mobile device to any application anywhere.

Perhaps the best part of Centrify for SaaS 2013 is that you can use it for FREE! As with all most of our products we provide free express versions (which you can check out here). Centrify Express for SaaS is great because you can use all of the features I described here for your first three apps with unlimited users.

< Previous Article: What is Samsung KNOX?
> Next Article: "Getting Mobility Right": Box and Centrify Webinar