Samsung KNOX and Mobile “Zero Sign-On”

In my last blog post I discussed what Samsung KNOX is and the release of our Centrify for Samsung KNOX solution that delivers “Zero Sign-On” to web and rich Mobile applications within KNOX as well as provides Active Directory-based container and device management. In this blog post I want to provide a bit more color commentary on what the “Zero Sign-On” (ZSO) capabilities that Centrify provides that comes standard with KNOX.

As a reminder Samsung KNOX is a new Android-based solution specifically designed to enhance the security of the open source Android platform. KNOX is not a product or a single feature; instead it is a suite of enhancements for popular Samsung Android devices designed to address the needs of government and enterprise IT managers as well as employees. It is important to note that while many of these features are unique to the Samsung KNOX platform, Samsung has maintained full compatibility with Android and the Google ecosystem so that existing Android applications will continue to work on Samsung KNOX devices.

Central to the KNOX experience is the ability to run corporate IT-approved apps in a secure application container completely isolated from the user’s other apps and data on the device. This container can be centrally managed by the IT department while still giving the user the ability to run personal applications in the standard Android environment.

Samsung KNOX container

One of the major features of Samsung KNOX is the ability to deploy and manage Single Sign-On (SSO) enabled applications. These applications can be web-based Software-as-a-Service (SaaS) applications such as Salesforce.com or Office 365 or they can be native Android apps that have been modified to work with the KNOX SSO service. A key feature of the KNOX SSO environment is its integration with Microsoft Active Directory, the most popular user and computer identity management system in use today. The SSO solution has been developed for Samsung by Centrify Corporation, a leader in cross-platform identity management solutions.

So how does this SSO experience work? When users enroll their device into Centrify’s Cloud Service, the device is joined to the corporate Active Directory domain, the secure KNOX container is created and a certificate-based trust is established between the KNOX container, the user and Active Directory. This certificate is used to authenticate the user of the device with the cloud service, validate that the user has a current Active Directory account and look up the user’s roles in order to know which applications the user will be allowed to run. With this trust in place, secure single sign-on is then possible. In fact, this experience could be described more aptly as “Zero Sign-On” (ZSO) since a certificate is used to authenticate access to applications rather than requiring the user to enter credentials.

Samsung KNOX container activated with Enterprise Identity

There are two types of SSO-enabled apps available to users: web-based SaaS apps and native mobile apps. Let me dive into each and show examples.

Zero Sign-On for Web Apps

Zero Sign-On for Rich Mobile Apps

Web-based Single Sign-On Apps

Administrators and end users can setup and deploy web-based or SaaS single sign-on applications for use inside the Samsung KNOX container using Centrify’s cloud-based tools. These web-based apps are listed in the Centrify for KNOX native app that runs inside the KNOX container.

Users simply go into the KNOX container (after providing their KNOX password), click on the Centrify for KNOX app, select the app they want to run and they are instantly taken to the app in their browser. The KNOX SSO Service handles authenticating the user using his or her certificate and allows role-based access based on the SSO parameters setup in the Centrify Cloud Service.

Web-based Single Sign-On Apps

Steps to run Office 365 web-based SSO-enabled app in a Samsung KNOX container

Native Mobile Single Sign-On Apps

Centrify’s solution also supports adding SSO capabilities to native Android apps that run in a Samsung KNOX container. Once a native Android app is modified to take advantage of the protected Samsung KNOX container environment and enhanced to support the KNOX SSO service, both users and IT administrators can deploy these approved apps into the KNOX container again using Centrify’s cloud-based tools. And again, the end user experience is extremely straight forward.

Users go into the KNOX container, where they will see the apps that have been deployed using the Centrify cloud-based tools. Users click on the native app and they are instantly taken to an app session without having to login or provide credentials. Certificate-based authentication is handled through the Centrify SSO APIs which call the KNOX SSO Service.

Native Mobile Single Sign-On Apps

Steps to run Box native Android SSO-enabled app in a Samsung KNOX container

Both classes of SSO apps run within the secure KNOX container and relieve the user of having to remember complex password for each app or worse, use easily-remembered weak or common passwords. This solution provides a double win by making users more productive and helping IT administrators secure their organizations when users run corporate applications. For more information on Zero Sign-On within KNOX, see this whitepaper (which some of my blog content was based on) on http://www.allthingsknox.com.

In a future blog post I will discuss in more detail the Centrify supplied Active Directory and Group Policy management capabilities for Samsung KNOX devices and containers that come standard with KNOX.