Changing the Game: Simplified Authentication to IaaS

I am pleased to introduce the Identity Broker capability of the Centrify Privilege Service. Identity Broker for Linux enables a new paradigm in user authentication to Linux systems, which seamlessly integrates your choice of directory service, including Active Directory, LDAP directories or cloud directories such as Google G Suite Directory. This is a significant advancement in Centrify’s identity consolidation capabilities and delivers freedom of choice when deciding where to store your identities.

For 12+ years, Centrify has focused on delivering some of the best possible integration of Linux servers into Active Directory. Our customers are successfully securing identity, authentication and privilege across Windows and Linux systems on-premises and in the cloud. While we’ve seen nearly every imaginable Active Directory environment from the simplest single domain to the most complex global multi-Forest environment, there are new environments that require  a new approach to managing identity and user authentication to Linux systems. The migration to the cloud is happening, and nearly every enterprise is moving servers and applications to IaaS providers such as Amazon AWS, Microsoft Azure and Google Cloud Platform. Many organizations are focused on deploying servers within AWS first. But as they look to reduce risk and improve up-time, they design for both fault tolerance and high availability by leveraging multiple infrastructure providers as well as multiple regions and availability zones within AWS.

This migration to IaaS creates a new set of challenges:

  • How to provide enterprise-grade identity, access and privilege management to servers and applications in the cloud.
  • How to protect resources at the same, or a higher level than for servers within the data center.
  • How to provide the required level of protection across servers in different hosting environments and different geographical regions.
  • How to provide access to IaaS servers for IT, developers and support staff even when these functions are provided by outsourced providers.
  • How to provide enterprise user login to the applications running on this new infrastructure.

Centralizing Identity and Privilege within Active Directory

We have several customers who are currently using Active Directory to control identity, access and privileges for their infrastructure and applications running in AWS, and many more customers planning their move to AWS. Active Directory provides a solid platform for managing infrastructure running on IaaS, but connecting it to the corporate on-premises Active Directory can be challenging. There are several deployment models for leveraging Active Directory in IaaS that extend  your on-premises environment. Most of Centrify’s customers treat their IaaS as just another environment like their DMZ. They either set up a new Active Directory “resource” forest with a one-way trust back to their corporate AD as the “account” forest (see the diagram below) or just run a Read-Only Domain Controller (RODC) for the corporate Active Directory with replicated accounts for specific users for this new environment. Centrify Server Suite works well within these environments and we’ve done a lot of work over the years to make this even simpler from enabling automation within the solution to providing guidance on deployment.


For more detail on deployment models, please visit the Centrify TechCenter for AWS

Introducing Centify’s Identity Broker Service for Linux!!!

Centrify, with Active Directory, provides a solution to centralize identity and access controls for both on-premises and cloud-based infrastructure; however, we saw the opportunity to simplify IaaS deployments in several ways that leverage the Centrify Identity Platform, the core of our Privilege Service and Identity Service products.

Centrify Privilege Service delivers a new service called Identity Broker that authenticates users to Linux Servers via a light weight agent. All of the Identity Platform’s connected directories are supported, without requiring direct connectivity between a server and the directory service or creation of local user. The goal was to ensure that we could authenticate users from any connected directory including Active Directory, LDAP, Centrify Cloud Directory or Google G Suite Directory.


Identity Broker includes several new features including:

  • Identity Broker-based user authentication via the Identity Platform
  • Linux user identities are managed as network accounts with auto-provisioned home directories
  • Role-based login authorization supporting users or groups of users across any directory
  • Automation friendly enrollment process designed for elastic environments with example scripts for use with User Data, OpsWorks and CloudFormation
  • Connector-based access to Centrify Identity Platform to eliminate the need for public IP addresses or internet connectivity
  • Integration with Centrify Privilege Service for shared account and application password management

This is only the beginning, we have plans to further extend the functionality offered by this new IaaS friendly agent, all driven by the requirements and feedback from our customers. So, try it out now and give us your feedback.

To learn more about Identity Broker: