True SSO

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 6
Registered: 3 weeks ago
#1 of 8 362
Accepted Solution

True SSO

I would like to see Centrify allowing true SSO where I can create a link to a webapp on a users desktop and a user can click on the link and be SSO'd into the webapp without having to sign into Centrify portal. I heard about a zero-signon option but users will still have to sign into the portal. We need a way for people to authenticate easily without have to login all the time to reduce the amount of steps it takes to get to apps. 

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#2 of 8 354

Re: True SSO

@8172017714,

 

Welcome to the Centrify community.

 

What you're asking is absolutely doable.  This really depends how your deployment is architected.  The Centrify cloud can offer several options.

 

  • For on premises users, you can leverage integrated Windows Authentication.  This means that an employee at their desk that is authenticated to AD, provided that their browser is configured correctly and the application supports SP-initiated SSO, will be able to log in directly to the app just by clicking on a link to it.
  • For users that may not be on premises, they can leverage our Mobile, Windows and Mac ability to leverage Centrify's Zero Sign-on.  In this model, the endpoint or system is enrolled to the Centrify platform establishing a PKI exchange. 

It results in the experience with Zero Sign-on results as follows:

 

I hope this is clear enough.  Discuss with your Centrify/Idaptive lead on this topic, I'm sure they'll be happy to help.

 

R.P

 

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 6
Registered: 3 weeks ago
#3 of 8 347

Re: True SSO

Thanks for that my only issue is how do I get IWA to work. I installed the cert. Turned iwa authentication in the login policy but no matter what I still cant get it to work. Any easy instructions on how to set it up in the browser for windows 7, 10. Chromen firefox and IE
Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#4 of 8 344

Re: True SSO

[ Edited ]

@8172017714,

 

Are you a commercial customer?  This is one of the topics covered in the jumpstart.

Here's the help topic on all browsers:  How to configure browsers for silent authentication.

 

Things to keep in mind:

  • IWA (SPNEGO) service is to provide Kerberos-based SSO while on premises or over VPN.  If you are outside the network you will be challenged.
  • Make sure you're trusting the proper certificate.  You want to trust the internal CA cert (IWA Root cert), NOT the connector cert.
  • Connector placement (with relationship to domain controllers/global catalog) and end user is important in this scenario.
  • Firefox has its own internal Certifiates repository.
  • If things are done correctly, for IE, Edge and Chrome, this should be almost automatic.

 

R.P

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 6
Registered: 3 weeks ago
#5 of 8 340

Re: True SSO

Yes I am a commercial customer. I see the how to, but I do not know where to actually change the settings. The link below shows me what to change but not where to change it.

https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.centrify.com_Content_CoreServices_Authenti...
Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#6 of 8 338

Re: True SSO

@8172017714,

 

Are you expanding the subsections?

 

Here's what I see:

expanded.PNG

 

?

 

About to get into many back-to-back meetings, so let's see if another volunteer can help here.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 6
Registered: 3 weeks ago
#7 of 8 269

Re: True SSO

Ok I found a solution. You were right about IWA service being used for SSO. The issue that I kept running into was the IWA feature not working, after further research and help I realized that the corporate IP address wasn't the same anymore due to us implementing a new Web Gateway. Centrify recognizes the public IP address of the new web gateway service and I had to put the vendors IP ranges in the corporate IP range area to get IWA to work correctly. 

 

Now it works while on the network and over VPN. 

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#8 of 8 265

Re: True SSO

@8172017714,

 

Outstanding!  Thanks for coming back and updating the community on your results!

This way everyone benefits.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: