Centrify’s approach to IAM is more than SAML and SSO—it’s just what we’ve been waiting for

We last checked in with Centrify back at Mobile World Congress, looking at their partnership with Samsung, EMM capabilities, and multi-factor authentication. But as an identity and access management (IAM) vendor, they're doing a lot of other interesting things, too.

We last checked in with Centrify back at Mobile World Congress, looking at their partnership with Samsung, EMM capabilities, and multi-factor authentication. But as an identity and access management (IAM) vendor, they’re doing a lot of other interesting things, too.

We haven’t spent too much time covering IAM (though we have had some sessions at BriForum, here and here), but really we should. In today’s world of pervasive SaaS and cloud apps, identity and providing SSO is an important part of EMM, desktop virtualization, and EUC in general. We all know what a pain and time-suck it is to have users dealing with a dozen different passwords for all their apps.

Anyway, a few weeks ago I went to Santa Clara to meet with some of their team to learn more about Centrify Identity Service, their suite of EUC-oriented products. (They also have data center and server products for managing ID for Linux and Unix (as well as windows) systems, called Centrify Server Suite.)

Like many IAM products, Centrify is built around a gateway web app or native mobile app that provides single sign on to other apps, typically using SAML. Mostly this is for cloud-based based web apps (I’ll get to other types of apps in a second.) Today this is fairly mainstream, but naturally it skews towards enterprise-size companies. SaaS offerings like Office 365, Google Apps, and Workday are also big drivers of SSO and IAM.

But these days, IAM is about a lot more than just SSO using SAML. For example, here are some of the other efforts Centrify talked about:

Account Provisioning
Manually configuring user accounts in SaaS products isn’t scalable, so IAM platforms are automating this. Some services have custom APIs; but SAML can actually be used to do just in time provisioning. Another emerging standard is SCIM. Centrify uses this to make a completely automated experience. An admin can add a user; assign them access to a SaaS services; the account gets created automatically; the service shows up in the user’s SSO portal; their device can be enrolled in MDM; and then the SaaS client is pushed to the device. This is stuff we’ve been talking about in EUC for years, and it’s cool to see that they actually make it possible.

Service Provider-Initiated Login
This is where instead of going through the company’s SSO portal, a user goes directly to the SaaS vendor’s website and tries to login with their credentials. It sounds simple, but it’s actually another tricky thing that service providers and vendors like Centrify have to figure out.

New Forms of Multi-Factor Authentication
There are many options for authentication, but one that Centrify created uses an app on a known mobile device as a second factor. When you log in, a notification will come up on the device, and you simply push a button to authenticate. (It even supports wearables.) Administrators can set conditional policies for when a second factor is or isn’t required.

On-premises Identity and Access Management
Through a connector, the cloud-based Centrify service can manage access to your traditional applications.

SSO to Native Mobile Apps
SAML SSO on mobile is easy... as long as you’re logging into a web app. SSO into native mobile apps is much more difficult. Some possible standards are being worked on, but in the mean time the Centrify Mobile Authentication Services SDK provides SSO to native apps.

For enterprise mobility management, Centrify’s approach focuses on native device-based mobile app management features and MDM. They cater to Mac OS X as well, offering both traditional Active Directory group policy based-management and cloud-based MDM management. Another feat they accomplish is binding Mac OS X user credentials to users’ Active Directory credentials.

Centrify is a cloud-based service, but their method of operation is to leave customers Active Directory as undisturbed as possible. (Though they offer a cloud-based directory as well.)

The place of IAM in EUC

Looking at all of this, a few different (slightly unrelated) thoughts come up:

First, even though they take a lot of work, I can’t help but think all of the standards in the IAM space could be a model for some sort of universal app-level mobile app management standards.

Second, note that the other vendor besides Centrify making a biggest noise right now about combining IAM with EMM is Microsoft, which has Intune and Azure Active Directory both being part of the Enterprise Mobility Suite. IAM vendor Okta also announced EMM capabilities. This makes wonder if Citrix or VMware will emphasize IAM with EMM a bit more this year.

Finally, sure for some smaller companies—especially ones with more conservative attitudes about IT—IAM might be lower priority or not even on the radar at all (just like EMM or mobility in general). But overall SAML SSO and more advanced IAM techniques like Centrify provides should be a part of the conversation when companies are updating their end user computing experience.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.