Active Directory-based authentication, access control and role-based privilege management for Windows, Linux & UNIX
Standard Edition + privileged user auditing
Enterprise Edition + encryption of data-in-motion and server isolation
Any Edition + single sign-on for SAP, Apache and J2EE/Java applications
Single sign-on for cloud apps + mobile device supportMac Edition
Active Directory-based authentication and Group Policy management for Macs + mobile device supportPremium Edition
SaaS and Mac Editions + mobile device supportCentrify for Samsung KNOX
Active Directory-based SSO, MCM and MDM for KNOX-enabled devices
Friday, March 29, 2013
I have mentioned 'Zero Sign-On' in past blogs, but in this blog wanted to explain the differences between Zero Sign-On (ZSO) and Single Sign-On (SSO).
Both ZSO and SSO means you have one username and password (e.g. your Active Directory username and password; people often refer to the two combined together as your Active Directory ID) across a plethora of apps and operating systems. Note I included operating systems — be it mobile, PC, Mac or server OSes such as Linux or UNIX or Windows — as people log into those systems every day just like they log into apps. [Many SSO vendors conveniently forget to mention that many people log onto multiple systems and devices each day, especially if they are an IT person. Maybe it's because they only support SaaS apps.]
The core difference is usually that SSO means you have to re-enter the username and password, i.e. your ID, every time you log into a system or app. Granted it is better that you have a single ID vs. multiple IDs, but it is pain in the butt to have to re-enter the same ID over and over again every time you log onto a new app etc..
ZSO is about silent authentication, that once you are initially authenticated, that you never have to type in your ID again when you launch an app or say SSH into another system etc. I sometimes refer to ZSO as 1-click access, i.e. click on the app and you auto-magically authenticate and there is no prompting for a username and password. And of course do so in a secure manner using secure protocols (vs. storing/caching credentials on a local device).
ZSO is very important on mobile devices, especially for rich mobile apps. The reason being is that the form factor of a mobile device (e.g. smartphone) is such that even if you had a relatively simple username and password, odds are you going to screw up typing that username and password in, and a simple login process may end up being 30 seconds to a 1 minute process. Because 'who has time for something like this':
Centrify has been doing ZSO for years at the operating system level via Kerberos (in fact we support over 400+ flavors of UNIX/Linux/Mac/etc.), i.e. once you log onto your Windows PC or a Centrify-enabled Mac/Linux/UNIX systems, your get a Kerberos ticket. That kerb ticket then works on any Centrify-enabled non-Microsoft system or app or on any Windows system. That is, a user who logs onto a PC can use a SSH client like PuTTY and silently authenticate to a Linux server or seamlessly access a Samba share. Or a person on a Mac can access SAP Netweaver on say a Linux system (running our SAP plug-in) from a browser without have to login.
In the case of SaaS and cloud-based apps, we provide ZSO through a few interfaces. From a Mac or PC that is on premise, because our MyCentrify portal supports integrated Windows authentication, you don't need to login into our MyCentrify portal that you can use to launch apps such as Box. You can also create bookmarks and desktop shortcuts so you don't have to even use our portal. If you are off-premise on your Mac or PC, you do need to login once to our portal using your AD credentials, but from there it is 1-click access to hundreds of apps.
Here is a simplified view of the MyCentrify portal with 4 apps, so for example Box is just 1 click away. i.e. Click Box
And boom you are in
From a mobile device, where ZSO is most important give the form factor, for web-based apps we offer the same MyCentrify experience with a single click. A key differentiation is that we offer MyCentrify on mobile in the form of a rich native mobile app for Android and iOS, so no dealing with a clunky portal that was designed for usage on a PC.
Here is the MyCentrify portal from Android. Again click on Box
and you are into your Box account.
But given that more and more consumers prefer rich mobile apps, we offer our Mobile Authentication Services SDK that ISVs can utilize that provides single click access. Again, using Box as an example, because they support our SDK on the Android platform as part of our Samsung KNOX OEM relationship, all you need to is click on the Box mobile app
And voila they are into Box as shown below
So compare the results, do you want to spend your fat-fingering in your passwords with this
Or do you want to spend your time using the app like this?
Point is who has time for SSO when you can have ZSO? Here is a video of Box Zero Sign-On that ties this all together: