A key component of the Centrify Identity Services ecosystem is a set of Core Services that form the secure foundation for all other services and features to provide the next dimension of security for the hybrid enterprise. The core services provide the underpinnings for managing users, roles, policies, reports, and access requests.
User identity and directory service
One of the core services for managing users is a built-in directory service—the Centrify directory service. You can use API calls to access the service programmatically to perform common tasks such as user provisioning. See Create and Manage Cloud Directory Users for information on how to call the API to add, modify, and delete users for your application in Centrify User Service
You can also connect to an existing Active Directory, LDAP, or Google identity store, instead of, or in addition to, using the Centrify directory. If you are using an external identity store, such as Active Directory, you add, modify, or delete users directly in the external identity store using the appropriate tools provided by that identity store. For example, if you manage users using Active Directory, calls to the REST API are not required. However, you can use generic user functions to make users from an external identity store available to other Centrify identity services. For more information, see Generic User Functions.
The Authentication engine leverages Active Directory, LDAP, the Centrify directory, or a combination of these services, to manage authentication and access to applications, servers and infrastructure, shared accounts, and user devices. All calls to the API require authentication. See Authentication Cookies for details and Authenticating users for details on how to implement authentication with the API.
Integrated into the authentication engine is multi-factor authentication (MFA), which allows you to implement additional authentication requirements through SMS, voice call, security question, email, single-tap one-time passcode, or automated push notification to mobile devices.
Policies and multi-factor authentication (MFA)
Policies allow fine-grained control over the following areas of the cloud service:
- Mobile device policies — Control device management and enrollment. Note that the policy API exposes access to capabilities that are specific to particular manufacturers, for example, iOS and Samsung.
- Account security policies — Manage account security, including password reset and password requirements such as length and complexity. The policy engine also supports setting and enforcing multifactor authentication, that is, requiring users to provide additional authentication, such as a code retrieved from a text message or email.
- Application policies — Specify whether users are allowed to add applications to their devices.
- Resource management policies — Control access to network resources in Privilege Service.
The API also allows you to enhance simple MFA by implementing strong authentication for specific apps, servers, and accounts, or other infrastructure.
The reporting engine provides a number of built-in reports that allow administrators to obtain detailed information about users, applications, devices, and so on. However, the real power behind the reporting engine is the query interface that allows you to provide a completely flexible user interface for designing and building custom reports. For details, see Use Queries.
The core services enable you to define request and approval workflows for access to applications, privileged accounts, or roles with elevated privileges.
Secure data storage
The Centrify Identity Services security architecture includes per-customer encryption, distributed storage, and redundancy. Depending on your needs, you can choose from additional options for different levels of data storage and isolation.
For details about the security architecture, see Centrify security overview.
Updated about 3 years ago