The Brokered Authentication Service is a unique Centrify capability involving a Centrify Client (running on a host server) and the Centrify Platform (running as a SaaS service in the cloud).
When an administrator tries to log into a server, a software-based control must verify the credentials presented. That control must be able to query an enterprise directory that is authoritative for the user’s ID. This is trivial if everything is in the same network — the enterprise directory, the resource, and the access control software. However, for modern use cases, this is often not the case (for example, an enterprise Active Directory or LDAP on-premises but Linux and Windows instances running in an AWS VPC with no external Internet access).
Traditional solutions are far from ideal. Site-to-site VPNs from the IaaS provider are expensive and required for every VPC, in every IaaS cloud, where you stand up resources. Another option is replicating some or all of your enterprise directory infrastructure in the cloud, and configuring trust between them. This, too, can be very expensive as well as adding complexity, reducing operational efficiency, and increasing your risk from having to open additional firewall ports.