Going Beyond SaaS Single Sign-on (SSO)

Recently there’s been some good buzz around “Cloud Identity” given recent high profile VC investments and Salesforce getting into the market with the announcement of Salesforce Identity. Whether you call it “Cloud Identity” or “Identity and Access Management for the Cloud” (with some word like “Enterprise” or “Secure” thrown in front for good measure), and/or whether you are touting the idea that “Identity is the new Perimeter,” the concept being implemented by vendors in this space is basically the same — provide a portal from which end users can get a single click to all their cloud apps be it Salesforce.com, WebEx, Office365, etc. with the more the merrier. Centrify has recently introduced our SaaS SSO solution with our MyCentrify portal, and as you can see from the screenshot below we provide said portal. In this blog post I want to talk about where I see existing “Cloud Identity” solutions falling short and how Centrify goes beyond their approaches.

Apps in the MyCentrify Portal

Centrify SaaS SSO Portal

The first area where I see existing is cloud identity solutions falling short is the obvious fact that the vast majority of organizations’ IT infrastructure are not 100% cloud and therefore these solutions really provide a subset of what end users need vis a vis a single sign-on experience. At the same time it is very rare to see an organization’s IT infrastructure to be 100% on-premise. What we see across the board is each organization has a hybrid of on-premise data center and cloud and mobile resources, some of which owned by central IT, some of it owned by users (e.g. mobile devices), and some of it is leased on a subscription basis (e.g. SaaS apps).

Which means end users not only need SSO to all the new SaaS apps and other cloud resources, but they still also need to access to their on-premise stuff like SAP, Oracle, Sharepoint, Exchange, etc. Granted this stuff may over time be slowly replaced by cloud equivalents but is still here today and needs to be integrated from an end user SSO experience. End users also need to login to their underlying PCs, Macs, and mobile devices, and if they are IT folks, also have privileged logins to servers, routers and apps.

Some of the cloud identity vendors are now trying to sell an “enterprise” and/or “hybrid” story that can address on-premise apps, but in essence they are capturing a username/password on an internal web form and playing it back via their portal. While this provides some value, the drawback is that some apps (e.g. SAP GUI) are still not web-based (i.e. are fat clients), and it does not address the underlying operating system login that users go through across all their various devices. And screen scraping does not address the issue of having a unified and strong username and password stored in a central identity store that has policies applied to it, meaning that the screen scrape approach still allows for weak passwords and does little to consolidate identity stores.

So when Centrify entered the market with our SaaS support, we wanted to seamlessly span both cloud and on-premise with a set of unified identity services, with the understanding that a mix of software (for systems and devices and plug-ins for on-prem app) and cloud services (for off-premise resources) would be needed. So yes we can deliver the SaaS SSO portal that others give you, but also have native and deep integration with 100s of operating systems (e.g. Mac, Linux, Android, iOS, etc.) and applications (e.g. SAP, Apache, JBoss, etc.). We support SAML, OpenID, etc. but also support authentication mechanisms such as Kerberos, Pluggable Authentication Module (PAM), JAAS (Java Authentication and Authorization Service), etc. In other words, we deliver not just “on-demand” services but software + services much like customers are running a mix of apps and systems that are themselves both software and services. In addition this allows us offer more of an end-to-end solution, as our SSO experience takes over when the user logs into their underlying Mac, PC, mobile device, etc.

The second area where I see existing “cloud identity” solutions falling short is their mobile support. Most of these solutions were built and architected pre-iPhone and iPad (i.e. before it became clear that mobile devices were going to become the preeminent means to access apps) and are very web portal centric, with their mobile SSO experience just supporting web-based apps vs. also supporting rich mobile apps. They also provide no means to ensure that the user’s mobile device is trusted/secure, and while they may provision a user in the cloud service they ignore giving the end user the corresponding app on their device.

Centrify built our next generation cloud service with the understanding that mobile is the emerging de facto standard for user access. Centrify allows mobile devices to “domain join” Active Directory and become trusted via a PKI certificate. In addition, our solution lets IT apply mobile device-specific group policies to ensure the underlying device is secure (e.g. ensure that a PIN is required to unlock the phone, etc.) and allows IT to remotely wipe a lost or stolen device.

We can do this while at the same enabling “zero sign-on” authentication from the mobile device to cloud-based services. The zero sign-on comes from the device being trusted. The mobile single sign-on can also extend to rich mobile apps via our Mobile Authentication Services SDK, and in the coming months will be announcing some high-profile SaaS vendors supporting it with their mobile clients. Finally, not only with Centrify for SaaS you can have IT set up roles to control who can access what SaaS apps, but you can specify which mobile apps are associated with a given role. Hence we uniquely deliver mobile SSO with mobile app mgmt.

Apps in the MyCentrify Portal

Mobile authentication integrated with mobile application management

The final area I want to highlight has to do with the fact that some cloud identity vendors force you to use their directory that resides in their cloud. While they talk about Active Directory integration etc., their architecture in the end requires a customer to store end user identity in their directory in the cloud. This may be appealing for an organization that does not have an existing directory (but take into account that AD has 95+% market presence), but for the vast majority of customers this becomes YAD (Yet Another Directory) they must manage and have data sync to. The fact is that IT organizations tend to want to consolidate identity stores, not add more. And rightly or wrongly, some customers are not yet ready to have the keys to the kingdom (i.e. usernames and passwords) stored in a third party directory in the cloud.

Centrify takes the approach of not storing identity data in the cloud, with our cloud service being a secure identity broker/gateway to a customer’s on-premise Active Directory. This means no usernames/passwords inside your AD are being replicated/sync’ed to the cloud, and you can use your existing skillset/tools/knowledge/processes/etc. to continue to manage an organization’s identity infrastructure. We do realize that a small percent of potential customers may not have AD or want to move to a cloud-only architecture, so in the coming months we will be coming out for support for identity stores in the cloud, thereby giving customers flexibility in where they store their corporate identities.

The net net is that it is exciting to see such interest in “cloud identity” and no doubt the market will evolve as we are still in the early days in this market. Our unique approach at Centrify is to take a unified identity services approach that spans across data center, cloud and mobile which we believe gives customers the best option no matter where they are on the on-premise to cloud journey.