Services and components overview

Chapter 1
Services and components overview
Centrify Identity Services is a set of services that simplify provisioning
applications, managing users, setting policies, and managing remote devices.
This sections contains the following topics:

"Component summary" on page 1-2

"Which software is installed and where" on page 1-6

"Supported web and device browsers" on page 1-8

"Supported devices" on page 1-9

"Foreign language support" on page 1-10


"Enabling read-only access for Centrify Identity Services support" on page 111
"Logging in to the user and administrator portals with silent authentication"
on page 1-13

"Centrify Identity Services user portal overview" on page 1-14

"Selecting an identity repository" on page 1-16

"Selecting a policy service" on page 1-18
1

Component summary
Component summary
Centrify Identity Services is composed of the following services, web portals for
administrators and users, and mobile applications users can install on their iOS
and Android devices.

Policy Service: A service that provides integrated mobile security
management. You configure policies for managing mobile device settings and
Centrify Identity Services automatically installs the policies in enrolled
devices.
You can also use the Active Directory Group Policy Management Editor to set
mobile device policies. See "Selecting a policy service" on page 1-18 to learn
more about your options.
Admin Portal user’s guide
2







Component summary
App Catalog: The set of SaaS web applications ready for immediate
assignment to users. Application templates are also provided so you can also
assign your own web and mobile applications and free applications from
Google Play or the Apple App Store. See Managing applications when you
are ready to start adding applications to your directory service and deploying
them to users.
Centrify CA: A certification authority that generates certificates for devices
when you use the Centrify directory policy service for device policy
management. The certificates are automatically generated when you enable
wi-fi, VPN, or Exchange ActiveSync policies and select certificates for
authentication. The certificates are automatically installed when the user
enrolls the device.
App Gateway: An infrastructure that provides secure access to on-premise
web servers. When you use the App Gateway, a VPN is not required. You
install the Centrify Connector to use the App Gateway. The App Gateway
also provides single sign-on to the web applications. See Adding internal web
applications to deploy internal applications for remote access.
Admin Portal administrator portal: Admin Portal is the web portal you use
to configure the Centrify Identity Services, deploy web applications, manage
users, generate reports, and monitor user activity. If you are using Centrify
Identity Servicesfor mobile device management, you use Admin Portal to
manage the enrolled devices too.
Centrify user portal: The user portal is your users’ interface to Centrify
Identity Services. They open the user portal from their computer’s browser to
open the web applications deploy to them, monitor their activities, and
manage their directory service profile. If you use Centrify Identity Services
for mobile device management, users can also self-manage their devices from
the user portal.
Centrify application: A free mobile application for Android and iOS devices
that users install on their devices to enroll their devices in the directory
service. It provides single sign-on to the applications you deploy to them.
The Centrify application includes a browser that is opened in place of the
device’s default browser for web applications that require a browser extension
to provide single sign-on. This lets users run the same applications they open
from their desktop browser on their devices. If the web application does not
require the browser extension, the application opens in the user’s selected
browser.
Chapter 1 • Services and components overview
3



Component summary
Centrify for KNOX application (not shown): A free mobile application that
users with Samsung KNOX Workspace devices install in their Samsung
KNOX container. It provides single sign-on to the web applications you
assign to the user from inside the container.
Centrify Identity Services Browser Extension (not shown): A free browser
add-on that’s required to provide single sign-on for some applications. The
user portal prompts the user to install the extension when the user opens one
of these applications. The Centrify Identity Services user portal helps to
provide Centrify Identity Services Browser Extension installation instructions
for Firefox, Windows Explorer, Chrome, and Safari browsers.
The browser extension can also be used to add applications that are not listed
in the Centrify Identity Services App Catalog. See Adding web applications by
using Centrify Infinite Apps.
Centrify Identity Services also includes the optional Centrify Connector. This is a
software package you install on Windows computers inside your firewall that you
can use for any of the following services:



AD Proxy: You use the Active Directory/LDAP proxy to authenticate users
with Active Directory/LDAP accounts for access to the administrator and
user portals. Optionally, this lets you use Active Directory Users and
Computers to manage devices and Windows Group Policy Management to
manage mobile device policies.
App Gateway: You use this service to provide secure, remote access to web
applications running on internal application servers.
Active Directory/LDAP Certificate Service (not shown): You can use the
default certificate authority instead of the Centrify CA to generate certificates
for user authentication. See Selecting the Centrify directory policy service for
the details.
See How to install a Centrify Connector to download and run the installer.
You install one set of connectors when all of the directory service users are in
domain trees or forests that have two-way, transitive trust relationships between
the domain controllers. If your organization has multiple, independent domain
trees or forests, you install a separate sets of connectors for each tree or forest. See
Supporting user authentication for multiple domains for the details.
When you use the connector to authenticate Active Directory users, the installer
includes the following extensions:
Admin Portal user’s guide
4



Component summary
Active Directory Users and Computers console extension (not shown): A
console extension that adds tabs to the mobile device’s and user’s Active
Directory Properties windows with directory service information. When you
install the console extension, you can use Active Directory Users and
Computers to manage devices.
Group Policy console extension (not shown): A console extension that adds
a comprehensive set of mobile device policies for Samsung, Android, and
iOS devices and OS X devices. When you install this console extension, you
can use Windows Group Policy Management to create group policy objects
and install them on mobile devices.
Chapter 1 • Services and components overview
5

Which software is installed and where
Which software is installed and where
The software you and your users install depends upon whether you are using
Centrify Identity Services for single sign-on, mobile device management, or both.
After you have made that decision, the components you install depend upon
whether you are using the Centrify Directory or Active Directory/LDAP to store
user account and device data.
Using the Centrify Identity Services for single sign-on
When you use Centrify Identity Services for single sign-on only with the Centrify
Directory as your identity store, there is nothing for you to install. In this
environment, you use Admin Portal to assign the web applications and create the
user accounts and roles in the Centrify Directory. In this case, the users log in to
the user portal from their browser to open the applications with single sign-on.
It may be necessary for users to install the Centrify Identity Services
Browser Extension on their browser. Many popular applications require the
browser extension to provide single sign-on.
Note
You can also provide single sign-on to the web applications from the users’
devices. In this case, the users need to install the free Centrify application on their
devices and enroll their devices in the directory service.
If you want to use your Active Directory/LDAP accounts to authenticate directory
service users, you install the Centrify Connector and the Active Directory Users
and Computers console extension on a Windows computer inside your firewall.
Note that Active Directory Users and Computers is for Active Directory
deployments only.
Using Centrify Identity Services for mobile device
management
When you use Centrify Identity Services for mobile device management with the
Centrify Directory as your identity store, there is nothing for you to install. You
use Admin Portal to create user accounts, create policy sets for the devices, and
deploy mobile applications.
The users install the free Centrify application on their devices and enroll their
devices in the directory service. After the device is enrolled, the directory service
installs the mobile device policies and mobile applications and deploys web
Admin Portal user’s guide
6

Which software is installed and where
applications. Users then use the Centrify application to open the mobile and web
applications you deploy to them.
Users open the user portal from their browser to monitor their devices and send
self-service commands to them. If they are also using the user portal to open the
web applications you deploy to them, they may also need to install the Centrify
Identity Services Browser Extension.
If you want to use your Active Directory accounts to authenticate users, you install
the Centrify Connector, the Active Directory Users and Computers console
extension, and the Group Policy console extension on a Windows computer inside
your firewall.
Chapter 1 • Services and components overview
7

Supported web and device browsers
Supported web and device browsers
This version of Centrify Identity Services has been tested with the following
browsers:

Internet Explorer: 11

version 11 on Windows 2008 server and Windows 2012 server, and
Windows 7 and Windows 8

Microsoft Edge: on Windows 10

Mozilla Firefox: latest version available at release

Google Chrome: latest version available at release

Apple Safari: 8
In addition, browser support for the Centrify Browser Extension is indicated in the
following table.
Form filling
App capture
Chrome
(latest available at release)
Yes
Not supported
Firefox
(latest available at release)
Yes
Yes
Safari 11
Yes
Not supported
IE 11
Yes
Not supported
For silent authentication to work correctly, some web browsers need additional
configuration (see How to configure browsers for silent authentication) or a
browser extension (see How to install the Centrify Identity Services Browser
Extension).
On devices, the Centrify application and Centrify for KNOX open the web
applications in the native browser unless that application requires a browser
extension to provide single sign-on. For these applications only, the Centrify
application and Centrify for KNOX open the application in its built-in browser.
Admin Portal user’s guide
8

Supported devices
Supported devices
If you are using Centrify Identity Services for mobile device management, it
supports enrolling the following devices and computers:



An Android device running Android 4.0 or later
Samsung KNOX Workspace devices running KNOX Enterprise SDK
versions 1.x and KNOX 2.x. This includes transparent integration with the
Samsung Universal Mobile device Management Client (UMC) and the
Samsung Enterprise Gateway.
An iOS device (for example, an iPhone, iPad, or iPod Touch) running iOS 9.0
or later. Devices using iOS 8 can still be enrolled and will be supported, but
they will need to use the 16.11 or earlier iOS 8 applications.

An Apple computer running OS X 10.8 or later

Windows 10 version 16.07 or newer
Chapter 1 • Services and components overview
9

Foreign language support
Foreign language support
Foreign language support is provided for the following components:

Centrify Identity Services user portal help

User portal text strings.

Admin Portal text strings
Not all of the languages listed below are available for the Admin Portal
text strings.
Note
For the user and administrator portals, you select the language in the browser. For
example, to change the language in Firefox you click the Firefox drop-down
menu, click Options, and then click the Content tab. Click the Choose button to
select a different language. To change the language in Chrome, you click the
browser menu, click Settings, click Show Advanced Settings, and scroll down to
Languages to choose another language.
For the Centrify application, you select the language in the device settings.
In this release, translations are provided for the following languages:

Brazilian Portuguese

Chinese—Simplified and Traditional

French

German

Italian

Japanese

Korean

Portuguese

Russian

Spanish
Additional languages are being added over time—see the Release Notes for the
most recent additions.
Admin Portal user’s guide
10

Enabling read-only access for Centrify Identity Services support
Enabling read-only access for Centrify Identity
Services support
Sometimes, the best way to solve a problem is to grant Centrify support read-only
access to your directory service account. You enable read-only access by selecting
a time period in the drop-down menu.
Do not grant read-only access until you and your Centrify support technician
agree that it is the best approach to solving your problem. You and the technician
should also decide the appropriate time period before you grant access.
Note
When you select a time period, Centrify Identity Services automatically creates a
directory service user account named techsupport_aaannnn where aaannnn is
your customer id, creates a role named Readonly Administrator, and adds
the account to this role. This is the account the support technician uses to log in to
your administrator portal.
When the time period expires, this account is locked and future attempted logins
are blocked.
You can also use the Support option to terminate read-only access for the Centrify
technician before the time period expires. Click the drop-down menu and select
Remove Access. The directory service deletes the techsupport_aaannnn
account.
Chapter 1 • Services and components overview
11

Adding Error Logging
Adding Error Logging
Set this option to provide a detailed explanation when you receive an error
message from the directory service. Do not set this field unless you are repeatedly
encountering a generic issue which requires you to contact Centrify support. (The
case is rare that you need to set this option.) When you set the option, more
detailed information is generated for the error message that you can pass on to the
support technician.
Admin Portal user’s guide
12

Logging in to the user and administrator portals with silent authentication
Logging in to the user and administrator portals with
silent authentication
If you have Integrated Windows authentication enabled on the Centrify Connector
(Integrated Windows authentication is enabled by default—see How to configure
Integrated Windows authentication for the details) and your browser is configured
properly (see How to configure browsers for silent authentication) you can log in
to Admin Portal without entering your Active Directory credentials. You simply
add your login suffix to the Admin Portal URL in the following format:
https://cloud.centrify.com/
manage?customerID=<loginsuffix>
For example, if your Active Directory login name is bob.smith@bigcorp.com, you
would enter the following:
https://cloud.centrify.com/
manage?customerID=bigcorp.com
Similarly, users with an Active Directory account can login to the Centrify
Identity Services user portal with silent authentication. For example,
bob.smith@bigcorp.com would enter the following URL to log in to the user
portal:
https://cloud.centrify.com/my?customerID=bigcorp.com
See How to use login suffixes to learn about login suffixes.
Chapter 1 • Services and components overview
13

Centrify Identity Services user portal overview
Centrify Identity Services user portal overview
Users open the Centrify user portal to launch the web applications you assign to
them. In addition, they can use it to add web applications on their own (this feature
is policy-controlled and you can deny it to some or all users), review their
directory service activities, and, if you use Centrify Identity Services for mobile
device management, manage their devices.
See the user web portal online help for an overview.
You can control which users can open the user portal and when. For
example, you can configure the user portal application so that only users in specific
roles can open it and they can open it only when they are on your organization’s
intranet. See Deploying the Centrify Identity Services User Portal application for
the details.
Note
The user portal help also provides the user instructions for installing the Centrify
application on devices and enrolling devices in Centrify Identity Services.
Normally, you send users an invitation to get them started on the user portal.
However, users can open the user portal from their browser by entering the
following URL:
https://cloud.centrify.com/my
After they login in, the user portal opens to the Apps page, which lists all of the
web applications you have assigned to this user. The following image shows the
Apps page in the user portal populated with web applications.
Admin Portal user’s guide
14

Centrify Identity Services user portal overview
Users click Help in the title bar to open the online help and use the drop-down
menu to reload privileges and, in Settings, select the default applications filter and
turn off device tracking for devices.
For administrator accounts only, the drop-down menu also includes an
option to switch from the user portal to the administrator portal.
Note
Chapter 1 • Services and components overview
15

Selecting an identity repository
Selecting an identity repository
Centrify Identity Services requires an identity repository for storing user data and
authenticating these users. You can use either or both of the following:


Centrify Directory: Centrify Identity Services includes this built-in identity
repository. With this option, we use the Centrify Directory account to
authenticate users and, if you are using the directory service for mobile device
management, to store the enrolled device records.
Active Directory/LDAP: Centrify Identity Services securely connects with
your existing Active Directory/LDAP infrastructure through the Centrify
Connector to authenticate users when they log in to the web portals and enroll
devices. Centrify Identity Services does not replicate Active Directory/LDAP
accounts or attributes in the directory service.
If your organization is heavily invested in Active Directory/LDAP, you can
continue to use it as your primary identity store and use the same tools (for
example, Active Directory Users and Computers) to manage users and mobile
devices. When you use Active Directory/LDAP, your users enter their Active
Directory/LDAP credentials to log in to the user portal and enroll devices.
You can use both identity stores simultaneously, too. For example, if you decide to
use Active Directory/LDAP as your primary identity store, the Centrify Directory
can provide a convenient supplemental repository for the following types of users:



Emergency administrators: If there is ever a network break down to the
Active Directory domain controller, no one with just an Active Directory/
LDAP account can log in. However, if you create administrator accounts in
Centrify Directory, these users can log in to Admin Portal and the user portal
and launch web applications.
Temporary user: Some organization’s security policy can make adding a
short-term user to Active Directory/LDAP a complex and time-consuming
task. If you have a temporary worker who needs access to just the applications
you deploy through the directory service, it may be simpler to add the account
to Centrify Identity Services.
Contractors or less-trusted users: Sometimes you do not want users to have
the full set of privileges and access rights an Active Directory/LDAP account
provides. In this case, you create the account in the Centrify Directory only.
Admin Portal user’s guide
16

Selecting an identity repository
To avoid users logging in to unintended repository accounts and other account
related confusion, we recommend that you do not create duplicate accounts (same
user name/password) in both the Centrify Directory and Active Directory/LDAP.
Authentication order
When Centrify Identity Services receives an authentication request, it checks the
ID repositories for the account name in the following order for the initial
successful login session:
1
Centrify Directory by name
2
Active Directory/LDAP user by user
3
Active Directory user by email
4
samAccountName
This ID repository check order applies to the initial successful login session
because browser caching and synchronization schedules between Active
Directory/LDAP and Centrify Identity Services can impact this order.
Chapter 1 • Services and components overview
17

Selecting a policy service
Selecting a policy service
If you use Centrify Identity Services for mobile device management, you can use
either of two resources to set mobile device policies:


Admin Portal: You create policy sets and then link them to roles.
Windows Group Policy Management Editor: You create a group policy object
and link them to an Active Directory/LDAP organizational unit. You then
specify the organizational unit in the policy set that enables users to enroll
devices.
The directory service installs the policies on the role’s members’ devices only.
Both resources provide a comprehensive set of mobile device configuration
policies for managing iOS, Android, and Samsung KNOX devices. See "List of
device configuration policies" on page 1-1 for a summary of the policies provided.
Which service you should use depends upon which identity repositories you are
using.


If some of the users who will be enrolling devices have their accounts in the
Centrify Directory and others have their accounts in Active Directory/LDAP,
you must use the Centrify directory policy service to define policy sets for the
devices.
If all of your users who will be enrolling devices have their accounts in Active
Directory, you can use either the Windows Group Policy Management Editor
or the Centrify directory policy service.
Admin Portal user’s guide
18
Download PDF
Similar pages