Over the past two years I have had countless conversations with customers and prospective customers who have asked: “we love what you do for SSO and MFA for employees, and how you do privileged identity management for IT staff … can we extend those capabilities to our business partners and customers?” These customers have all had a common goal in mind — they want to use a single platform and tool to manage user access to resources regardless of who the user is or where the user identity comes from. Well, to all of those people who I have discussed these use cases with in the past, I am thrilled to announce that our platform can now be used to serve all of your disparate user types: employees, partners and customers!
We have extended our support to external users through the introduction of two new capabilities:
- Business Partner Identity Federation (aka B2B)
- Customer SSO (aka B2C)
Now, from a single platform, organizations can manage identities, enable SSO and enforce MFA for employees (both end-users and privileged users), partners and customers!
Business Partner Identity Federation (B2B)
The demand for this capability stems from the fact that now, more than ever, businesses strive and grow through close collaboration with their partners. Often this collaboration involves sharing of applications (on-prem or in the cloud) with their partners. While sharing access to an application among partners helps to improve efficiency and communication, management of partner user identities is a burden to the organization trying to share the applications. What companies want is a simple yet secure way to share resources with their partners whereby user administration is delegated to the trusted partner.
For years, our platform has enabled SSO to applications through authentication protocols such as SAML. SAML applications use token-based authentication where the Service Provider (SP) accepts SAML assertions issued by an Identity Provider (IdP) to grant access for users. In order to support collaboration between partners, we have converted our platform (Centrify Identity Service and Centrify Privilege Service) into a Service Provider from a SAML perspective. This enables the platform to consume SAML tokens from any IdP to grant access to the platform, in order to then provide access to the downstream applications. This approach allows our customers to partner with other Centrify customers, and/or partners using a 3rd party IdP.
We’ve also created a simple licensing model for B2B deployments. The sharing party pays for B2B user licenses when the partner is using a 3rd party IdP, while federation with another Centrify tenant (even Express tenants) is free. This is great for partners who don’t have an IDP in place already. In this case, the partner can choose whichever IDP they want; if they choose Centrify there’s no cost to either party!
Customer SSO (B2C)
The story behind our B2C offering is similar in that customers have expressed the desire to outsource the identity management and authentication for apps that they wish to make available to their end customers. This boils down to the fact that identity and access management is not a core competency of most companies. Our customers are great at managing and running their businesses; they are not experts in identity. These customers have told us that they would like to use our platform to authenticate users to their products. Many of these customers have built their own apps over the years, often resulting in several disparate customer-facing apps. These organizations struggle from their own growth and are now faced with the challenges of identity silos and apps that lack a common user interface. These organizations have turned to us to help them, and with our B2C offering we are now ready to help! SSO for customers is enabled by two new offerings to our platform:
- Social Login: Centrify Identity Service now enables end-customers to login with existing social credentials (Facebook, LinkedIn, Google or Microsoft), or to create a cloud account in the Centrify Cloud Directory.
- OpenID Connect Support: OpenID Connect enables SSO just like SAML; however, it’s simpler to use because it does not require exchanging of certificates. For this reason, many organizations have built (or are building) their custom apps using OpenID Connect. While social login enables easy access into the platform, OpenID Connect support delivers SSO into an organization’s custom apps.
While the above features are new, we have also been focusing our efforts on documenting our RESTful APIs and creating sample apps using these APIs to make it easy for developers to leverage our platform from their own websites and applications. Stay tuned for more to come on all of these efforts!