Secure Privileged Access Without Managing Identities
Each new identity created is one more target for the bad guys to go after and increases the risk that their attack strategies will successfully breach enterprise defenses. Centrify Platform’s federation enables secure privileged access for humans and applications without creating new identities.
Identity Federation for Humans and Applications
Centrify Platform’s federation service delivers SAML, OpenID Connect, and OAuth2 support for humans and applications.
Simplify and Secure
Govern privileged access without duplicating identities
Simplify with one Secure Token Service for privileged access
Replace service accounts with short-lived tokens
Secure Privileged Access to the Centrify Platform
Centrify Platform’s federation service includes a built-in SAML Service Provider that enables users from other trust realms (identity providers) to log in to the Centrify Platform. Context furnished from the identity provider to the Centrify Platform is used to map users into pre-defined roles that govern their privilege — without any prior knowledge of the user. As a result, organizations quickly onboard outsourced IT and 3rd party vendors with a single sign-on experience and reduce the risk and administrative overhead of managing duplicate user identities.
Secure Token Service
For increased security, Centrify Platform’s federation service provides a Secure Token Service (STS) to eliminate the use of passwords in applications and reduce your attack surface. Trusted applications use the STS APIs to obtain cryptographic, short-lived tokens instead of relying on long-lived passwords for authentication and authorization.
Broad Token Support
- OpenID Connect
- PKI certs
- SSH certs
Short-Lived Access to Web Apps
Leveraging Centrify’s secure token service, organizations can minimize the risk associated with remote access threats. Admins or workloads that need access to web admin consoles leverage the STS to generate SAML and OAuth2 tokens for secure access. This model enables seamless and short-lived access to web admin consoles from the Centrify Portal and from workloads running on Centrify managed systems.
API Access to Centrify Platform Services
Centrify's STS enables workloads to securely leverage Centrify services without creating new service accounts that expand your attack surface. The STS generates scoped OAuth2 tokens based on a machine's identity that grant applications and microservices access to Vault Suite APIs and other Centrify Platform services.
Eliminate Weak Passwords for Application-to-Application Access
Increase security with identity federation and short-lived tokens for application-to-application access versus creating per-app service accounts that expand the attack surface. Centrify Platform acts as the Identity Provider (IdP) on behalf of server applications on trusted systems. This enables client applications, leveraging their host’s machine identity, to request temporary credentials for federated access to the server application.