Introducing Centrify Mobile Authentication Services: SSO is Dead, Long Live ZSO!

Centrify Leaps Forward as a Platform for Mobile

Today’s announcement of Centrify Mobile Authentication Services (MAS) extends Centrify’s mobile solutions in two strategic ways. First, Centrify MAS follows Centrify’s release earlier this year of its cloud service for Mobile Device Management (MDM). With MAS, Centrify is now making available the next major service powered by its cloud service — Active Directory based authentication for rich native mobile applications, making Centrify the only vendor to offer both integrated MDM and MAS. Second, Centrify evolves as a platform vendor for mobile solutions, by enabling developers of cloud and mobile applications to utilize Centrify’s MAS Software Development Kit (MAS SDK), as well as introducing the Centrify Mobile Technology Partner Program.

I am very excited today to introduce Centrify’s unique “Zero Sign On” experience for mobile devices with a developer preview of Centrify’s MAS SDK! “Zero Sign On” is the next-generation of traditional Single Sign-On where users of Centrify Cloud enabled devices can seamlessly access their mobile apps simply upon unlocking their mobile device. How this works is because users who have enrolled their mobile device in the Centrify Cloud Service are provided with a device certificate identifying the user of a specific device, so users are then able to use mobile apps that integrate with the Centrify MAS SDK to gain seamless access to authorized cloud services upon a passcode unlock of the mobile device.

I’m also thrilled to announce our strategic partnership with Appcelerator by making Centrify MAS available on Appcelerator’s Titanium platform. So to begin with, from a client OS perspective, MAS SDK will first be available for Android, and from a mobile enterprise app platform (MEAP) developer perspective, MAS SDK is available for Appcelerator’s Titanium platform. Future versions will include support for native client OS (iOS and Android), server side implementation kits, and support for more mobile app development platforms (MEAPs).

What can MAS do for YOU?

If you are an enterprise mobile application developer or an ISV offering a rich native mobile app for your cloud service, here’s how Centrify MAS can help you. In a nutshell, Centrify MAS makes it very easy for you to add to your rich client mobile applications the logic for authenticating users to Microsoft Active Directory, and obtain security tokens to access your SaaS/cloud service. You can now focus on developing your mobile application and let Centrify MAS solve enterprise identity and access related challenges for you. This graphic spells it out:



With Centrify MAS, as an ISV mobile app developer you can:

  • Add to your rich mobile application the ability to NOT prompt your app for username/passwords, but instead silently authenticate the app with the appropriate Windows AD credentials of the device’s user.
  • Provide Active Directory based authentication between mobile client applications on iOS/Android platforms and their server side cloud applications.
  • Build stronger enterprise grade authentication to your mobile app without having to deal or worry about any of the mechanics of matching identity providers, negotiating with intermediaries and other obscure protocol level gymnastics.

Why Centrify MAS for Mobile App ZSO vs traditional SSO?

To understand this better, lets first examine the two categories of mobile device applications. According to the Gartner report, “The Evolving Intersection of Mobile Computing and Authentication,” two categories of mobile device applications exist.  The first is the mobile web application (MWA).  Its technology and protocols are reasonably well understood because the MWA leverages a Web browser for communication with resources. As users demanded a richer experience, developers began leveraging the mobile devices’ native SDKs to build rich mobile applications (RMAs). The result is reflected in the adoption of RMAs vs MWAs. RMAs represent 65 percent of deployed mobile device applications.

 SSO for MWAs has been around for a couple of years now, being serviced using traditional tricks of the identity/access management trade as MWAs are largely compatible with existing web security mechanisms (eg., federation and WAM cookies). RMAs however are generally incompatible with traditional web security methods, and hence mobile app developers so far have had no choice but to handle user authentication via browser emulation for RMAs. This approach may be preferable from a usability perspective, but is certainly NOT preferred from a security, app developer and IT perspective for various reasons — one of them being the fact that the user’s password for one application may be shared with another application! None of the cloud SSO/ IAM vendors have stepped up to be nimble and deliver a truly native API centric mobile SSO solution for RMAs unlike Centrify has done today with MAS. Here’s why Centrify MAS is different that traditional SSO:

 A client mobile app performs SSO for its backend web service either using an active orpassive profile. The difference between the two types of profiles is simply the type of client software in use. A passive profile is where the client is a web browser or a mobile application built with browser based/HTTP requests to access web resources, where the client supports web cookies and SSL, but not much more than that. An active profile assumes a much smarter client application, one that can perform REST/JSON like web services API requests to access web resources.

 So you’d think that MWAs would employ passive profiles and RMAs would employ active profiles for SSO? Well, not really. As outlined above, for lack of a better choice and industry solution, until now both MWAs and RMAs have employed passive profile approaches for SSO where security token requests are done by numerous cumbersome browser redirects between the client, IDP and target web service. Needless to say, this approach has frustrated and challenged mobile application ISVs with redundant and complex code along with unnecessary wasted time supporting and architecting such solution deployments (firewall traversals and revere proxy setups for supporting on-premise IDPs).

 Now with Centrify MAS, RMAs can truly leverage an active profile approach, with one simple, high-level API call on the native mobile platform for user authentication. Centrify’s SDK makes it super simple for mobile ISV and enterprise mobile app developers by drastically eliminating complex authentication logic, redundant code, testing and TIME TO MARKET to SSO-enable their app. Centrify’s approach also ensures a stronger authentication model, and a “Zero Sign-On” user experience since the device leverages a PKI certificate issued by Microsoft Active Directory via the Centrify Cloud Service. Of course, PKI certificates alone won’t do the job, so MDM functionality is required for scalable, “over the air” management of certificates and the associated device/user identity lifecycle. As announced earlier in the year, Centrify’s DirectControl for Mobile solution delivers Active Directory based MDM, thereby providing the most comprehensive security & identity service for mobile devices. Centrify MAS is a win-win: both for the mobile app ISV developer and the end user!

 What’s Next?

To this end, I’m happy to note that we’ve received tremendous positive corroboration from several cloud & mobile platform vendors who’ve had a chance to preview Centrify MAS. Over the next few months, watch this space to read updates on these technology partnerships. If you are an ISV, I encourage you to take our MAS SDK for a spin and we would welcome your feedback. Centrify your mobile app and transform it with Zero-Sign-On!

 Please feel free to contact me for feedback and comments at: