An Overview of Samsung KNOX Active Directory-based Single Sign-On

Transcription

1 C E N T R I F Y W H I T E P A P E R. S E P T E M B E R 2013 An Overview of Samsung KNOX Active Directory-based Single Sign-On Abstract Samsung KNOX is a set of business-focused enhancements to the Android mobile environment for selected Samsung mobile devices. One of the key features included with KNOX is Active Directorybased Single Sign-On. This new capability, developed by Centrify Corporation, addresses password sprawl, allows users to securely and seamlessly login to corporate applications and gives organizations centralized access control for web-based and mobile applications. This White Paper provides an overview of the Single Sign-On features and benefits and introduces how this unique capability works within the Samsung KNOX environment. Centrify Corporation PHONE: +1 (408) (North America & Worldwide) 785 N. Mary, Suite (0) (EMEA) Sunnyvale, CA (+61) (APAC) (Latin America) WEB

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Centrify Corporation. All rights reserved. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Other brand names used in this document are the trademarks or registered trademarks of their respective companies. The names of actual companies and products mentioned herein may be the trademarks of their respective owners CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE II

3 Contents Contents... iii Introduction... 1 What is Samsung KNOX?... 1 Background on Centrify... 1 An overview of Samsung KNOX Active Directory-based Single Sign-On... 1 The benefits of Samsung KNOX Active Directory-based Single Sign-On... 2 The KNOX End User SSO Experience... 3 How Samsung KNOX Active Directory-based Single Sign-On works... 6 What you install on your internal network... 7 Using the Centrify Cloud Service and the Centrify Cloud Manager... 8 Configuring and deploying web-based Single Sign-On apps Configuring and deploying mobile applications to Samsung KNOX containers Using Samsung KNOX Active Directory-based Single Sign-On Using the MyCentrify web-based user portal Using the two Centrify mobile apps on a Samsung KNOX device Using SSO-enabled mobile apps running in the KNOX container Summary Where to go for more information How to Contact Centrify CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE III

4 Introduction What is Samsung KNOX? Samsung KNOX is a new Android-based solution specifically designed to enhance the security of the open source Android platform. KNOX is not a product or a single feature; instead it is a suite of enhancements for selected Samsung Android devices designed to address the needs of government and enterprise IT managers as well as employees. It is important to note that while many of these features are unique to the Samsung KNOX platform, Samsung has maintained full compatibility with Android and the Google ecosystem so that existing Android applications will continue to work on Samsung KNOX devices. Central to the KNOX experience is the ability to run corporate IT-approved apps in a secure application container completely isolated from the user s other apps and data on the device. This container can be centrally managed by the IT department while still giving the user the ability to run personal applications in the standard Android environment. Another major feature of Samsung KNOX is the ability to deploy and manage Single Sign-On (SSO) enabled applications. These applications can be web-based Software-as-a-Service (SaaS) applications such as Salesforce.com or Office 365 or they can be native Android apps that have been modified to work with the KNOX SSO service. A key feature of the KNOX SSO environment is its integration with Microsoft Active Directory, the most popular user and computer identity management system in use today. The SSO solution has been developed for Samsung by Centrify Corporation, a leader in crossplatform identity management solutions. Background on Centrify Centrify provides Unified Identity Services across data center, cloud and mobile environments resulting in a single login for users and a unified identity infrastructure for IT. Centrify's software and cloud services let organizations securely leverage their existing identity infrastructure to centrally manage authentication, access control, privilege management, policy enforcement and compliance across on-premise and cloud resources. More than 5000 customers have deployed Centrify across millions of computers, applications and mobile devices to increase agility and security. With Centrify, organizations are reducing the costs associated with identity lifecycle management and compliance by over 50%. Since releasing its initial product in 2005, Centrify has expanded its portfolio from one product to a suite of software and cloud services that span data center, cloud and mobile environments with comprehensive support for over 400 systems and 1,500+ applications. An overview of Samsung KNOX Active Directory-based Single Sign-On Samsung KNOX Active Directory-based Single Sign-On is a set of services that run on a KNOXenabled mobile device and remote systems that integrate and communicate with an Active Directory infrastructure CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 1

5 This Single Sign-On solution addresses password sprawl by providing users with an automated login experience while also giving organizations centralized control over access to web-based and mobile applications. Users will appreciate the simplicity of single sign-on and the self-service features that let them locate, lock, or wipe their mobile devices plus the ability to reset their Active Directory passwords. Administrators will appreciate the easy-to-deploy cloud-based service that delivers access control and visibility to application usage in addition to seamless integration with Microsoft Active Directory. Samsung KNOX Active Directory-based Single Sign-On decreases the cost of deploying and managing web-based and mobile applications while at the same time improving user adoption, satisfaction, security and productivity. The benefits of Samsung KNOX Active Directory-based Single Sign-On Samsung KNOX Active Directory-based Single Sign-On provides the IT administrator with control and flexibility in deploying web-based and mobile applications to users in the organization. With Samsung KNOX Active Directory-based Single Sign-On, an organization can: Enhance users productivity: Users can now go to a single portal to get one-click access to all of their web-based applications. Users experience less frustration, more satisfaction and more productivity by not having to remember multiple passwords to get their work done. Security and peace of mind increase as users no longer store passwords in non-secure locations or use passwords that are easy to remember but that don t meet corporate security guidelines. Users no longer have to remember passwords for every application Reduce your helpdesk burden: As much as 40% of IT helpdesk call volume can be related to password or account reset issues. Users lose productivity and experience greater frustration while IT experiences increased unnecessary expense. Samsung KNOX Active Directory-based Single Sign-On can quickly lower costs by gains in improved user productivity and reduce Web-based account or password reset calls by as much as a 95% CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 2

6 Improve security: According to the 2012 Verizon Data Breach Investigations Report, five of the top six attack vectors were focused on users passwords accounting for the majority of data breaches. Samsung KNOX Active Directory-based Single Sign-On reduces or eliminates the use of passwords for authenticating to users applications through the use of secure single sign-on. Additionally, access to all applications can be removed by simply disabling a user s Active Directory account when necessary. When using Samsung KNOX Active Directory-based Single Sign-On there are fewer passwords and password storage locations making the Samsung mobile device more secure. Improve IT visibility and control: Every organization s web-based application represents yet another set of identity and access control challenges. By controlling access to applications through Samsung KNOX Active Directory-based Single Sign-On and centrally authenticating users with their Active Directory identity, IT admins gain visibility into the history and usage patterns of applications, which allows further refinement of who needs access to which applications. When a person leaves an organization, access to all business-critical applications can be easily and quickly shut down. And unlike other solutions, Samsung KNOX Active Directory-based Single Sign-On does not duplicate existing identity data into the cloud and out of an organization s control it maintains an organization s identity inside Active Directory, keeping data more secure and centrally controlled. Reduce compliance overhead: With easy and thorough reporting on who has access to which applications and what each user did with that access privilege, compliance with regulations and industry best practices can more quickly be shown freeing up expensive IT resources to deliver on projects that are important to an organization s bottom line. Leverage existing infrastructure and skill sets: By providing the industry's tightest integration of web-based and mobile applications with Microsoft Active Directory, an organization can more cost-effectively deliver SSO and security because it can leverage existing technology, skill sets, and processes associated with an Active Directory environment. The KNOX End User SSO Experience When users enroll a device into Centrify s Cloud Service, the device is joined to the corporate Active Directory domain, the secure KNOX container is created and a certificate-based trust is established between the KNOX container, the user and Active Directory. This certificate is used to authenticate the user of the device with the cloud service, validate that the user has a current Active Directory account and look up the user s roles in order to know which applications the user will be allowed to run. With this trust in place, secure single sign-on is then possible. In fact, this experience could be described more aptly as Zero Sign-On since a certificate is used to authenticate access to applications rather than requiring the user to enter credentials. Before providing more details on how this SSO solution works on Samsung KNOX it is worth highlighting what end users will experience on their Samsung KNOX devices. There are two types of SSO-enabled apps available to users: web-based SaaS apps and native mobile apps CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 3

7 Web-based Single Sign-On Apps Administrators and end users can setup and deploy web-based or SaaS single sign-on applications for use inside the Samsung KNOX container using Centrify s cloud-based tools. These web-based apps are listed in the Centrify for KNOX native app that runs inside the KNOX container. Users simply go into the KNOX container (after providing their KNOX password), click on the Centrify for KNOX app, select the app they want to run and they are instantly taken to the app in their browser. The KNOX SSO Service handles authenticating the user using his or her certificate and allows role-based access based on the SSO parameters setup in the Centrify Cloud Service. Steps to run Office 365 web-based SSO-enabled app in a Samsung KNOX container 2013 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 4

8 Native Mobile Single Sign-On Apps Centrify s solution also supports adding SSO capabilities to native Android apps that run in a Samsung KNOX container. Once a native Android app is modified to take advantage of the protected KNOX container environment and enhanced to support the KNOX SSO service, both users and IT administrators can deploy these approved apps into the KNOX container using Centrify s cloud-based tools. And again, the end user experience is extremely straight forward. Users go into the KNOX container, where they will see the apps that have been deployed using the Centrify cloud-based tools. Users click on the native app and they are instantly taken to an app session without having to login or provide credentials. Certificate-based authentication is handled through the Centrify SSO APIs which call the KNOX SSO Service. Steps to run Box native Android SSO-enabled app in a Samsung KNOX container 2013 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 5

9 Both classes of SSO apps run within the secure KNOX container and relieve the user of having to remember complex password for each app, or worse, use easily-remembered weak or common passwords. This is a win-win solution for organizations since one application simultaneously increases both user productivity and corporate application security. How Samsung KNOX Active Directory-based Single Sign-On works Samsung KNOX Active Directory-based Single Sign-On uses Microsoft Active Directory to centrally manage policies for accessing and authenticating web-based and mobile applications. Samsung KNOX Active Directory-based Single Sign-On is a complete security and SSO solution that is delivered by way of the Centrify Cloud Service. Users can access web-based or SaaS applications from the Centrify user portal or Centrify for KNOX app, based on their identity and role. Mobile applications are deployed into the KNOX container based on roles and policies established by IT management. The Centrify Cloud Service provides secure communication from an on-premise computer with Active Directory to web-based applications accessed from the Centrify user portal. The Centrify Cloud Service facilitates secure SSO and controls access to an organization s web-based applications by acting as a security token service. In addition, SSO-enabled versions of mobile apps can be deployed within the Samsung KNOX container and use the same SSO service for authentication. As a security token service, the Centrify Cloud Service authenticates users to the Centrify user portal with Kerberos, SAML, or an Active Directory user name and password. Once a user unlocks his or her KNOX container, PKI credentials are used to enable strong secondary authentication to the Centrify Cloud Service. A SAML, Oauth or OpenID Connect token is then generated which enables user access to SSO-enabled applications. The Centrify Cloud Proxy Server is a simple Windows service that runs behind a firewall and provides real-time authentication, policy, and access to user profiles without synchronizing an organization s data to the cloud. Organizations maintain control of their valuable Active Directory data while providing a common-sense user experience. The Centrify Cloud Manager provides a single, easy-to-use tool to administer application access, mobile devices, and user profile changes. Also, this tool can be used to report and monitor all webbased and mobile activity. Not only does this improve security and compliance through improved visibility, but also lowers administrative complexity by reducing the number of solutions with different monitoring and reporting interfaces or integrations. Administrators can quickly audit all administrative and user activities. In the Centrify user portal, a user clicks a simple link to a web-based app and the Centrify Cloud Service logs the user in to the app. The Centrify portal provides multiple self-service options for users to update their Active Directory profiles and remotely administer their mobile devices CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 6

10 Here s how the main components in the Samsung KNOX Active Directory-based Single Sign-On architecture work together: An overview of the Active Directory-based Single Sign-On Architecture In addition, the Samsung KNOX Active Directory-based Single Sign-On solution extends SSO capabilities to native Android apps which run in the secure Samsung KNOX environment. These apps have been modified to take advantage of the KNOX SSO APIs and can only be run in the Samsung KNOX application container. What you install on your internal network The Samsung KNOX Active Directory-based Single Sign-On solution requires very little in the way of additional software or services in order to function correctly with a KNOX-enabled device and an existing Active Directory installation. The process begins by installing the Centrify Cloud Management Suite in an organization s internal network, and this installs the following items: Centrify Cloud Proxy Server: The Centrify Cloud Proxy Server is a process that runs on a host computer with internal connections to an Active Directory server and external internet connections. This server manages communications between Active Directory and the Centrify Cloud Service. No changes are required to an existing internal Active Directory environment and Active Directory continues to be used to create and manage users, groups and devices CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 7

11 Centrify Cloud Proxy Server configuration application: The Centrify Cloud Proxy Server configuration application provides a user interface that configures the Centrify Cloud Proxy Server. Active Directory Users and Computers console extension: If the organization is planning on using the Centrify Cloud Management Suite for mobile device and container management, then an Active Directory console extension is installed which provides additional properties and commands for managing mobile devices. This console extension lets administrators use the existing Active Directory infrastructure and familiar tools to manage mobile users and devices. It adds two tabs to a device s Properties display and a single tab to each mobile user s Properties display. The tabs in the device Properties display mobile device-specific information and applications installed on the device. The user Properties tab lists the devices enrolled by that user. In addition, this extension adds a series of mobile device and Samsung KNOX container commands for example, lock and unlock the container that can be sent to one or more devices from the Active Directory Users and Computers console. Group Policy console extension: Again, if the organization is planning on using the Centrify Cloud Management Suite for mobile device and container management, additional group policies for mobile devices and Samsung KNOX containers are installed. This is an Active Directory group policy console extension with a comprehensive set of group policies that can be used to configure and control mobile devices. Familiar tools are used to create group policy objects for the mobile devices. The cloud service then automatically installs the policies on the devices. NOTE: Neither extension modifies Active Directory they are both console extensions only. After the above components have been installed, the Centrify Cloud Manager can be accessed. Using the Centrify Cloud Service and the Centrify Cloud Manager The Centrify Cloud Service is a multi-tenanted service that provides secure communication from an on-premise Active Directory environment to mobile devices. The Centrify Cloud Service is hosted in Centrify s secure datacenter. Each organization must register with Centrify in order to enable the cloud services that manage communications between the organization s Active Directory environment and managed mobile devices. This communications channel is used for secure user authentication and device management controls such as installing group policies, sending commands to individual or groups of devices, and deploying applications to specific sets of users. The Centrify Cloud Manager is the Centrify Cloud Service administrator tool. Administrators use Centrify Cloud Manager to configure cloud service settings, deploy applications, manage users and devices and monitor cloud service activities. The Centrify Cloud Manager is also used to define roles for users and administrators. User roles define which applications are deployed to which users. Access control and configuration for SSO-enabled apps are also managed through this tool. Deploying SSO access to an application in the Centrify Cloud Manager is straightforward. Below is a brief overview of the process. 1. Apps are added in the Centrify Cloud Manager Apps page by selecting apps from the Centrify Cloud Manager App catalog CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 8

12 2. Once an app is added it can be modified to configure the application settings, such as how authentication takes place (e.g. username and password or SAML-based SSO). 3. One or more roles are then assigned to the application to control who can have access to the application. For each role, an application can be deployed as automatic or optional. An automatic install makes the application appear in the users Centrify portal by default. An optional install makes the application available to be added by each user. A tool is provided to allow administrators to create or modify roles. Once a role is created, the admin can assign Active Directory users and groups to roles as needed. After a role has been assigned to the application, the application state changes to deployed and the assigned users can access the application. The Centrify Cloud Manager user interface provides multiple views into an organization s applications, role access and activity, and allows changes to be made. Use the Apps page to see all the applications that have been added and deployed. An application s settings or user access options can also be modified. Use the Roles page to add, modify, or delete roles. Active Directory users and groups can be added to roles. Roles can be assigned to applications to control access to those applications. Use the Users page to view all users who ve logged in at least once and to specify login exceptions for specific users and applications. The Devices page lists all managed KNOX devices. If the Centrify User Suite SaaS Edition has been licensed for other platforms, Android, ios and Mac devices joined to the domain are also listed. The Dashboards provide multiple views into recent application, user, and device activity. In the User Activity view, top users and recently logged-in users can be seen. The Device Activity view displays information about users mobile device usage. In the App Activity view, an IT administrator can see which applications are getting used the most. Use the Settings page to check the status of proxy servers and other settings. Centrify Cloud Manager 2013 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 9

13 Configuring and deploying web-based Single Sign-On apps When an application is deployed, the IT admin configures how KNOX grants access to that application for users. There are some options for how users SSO access to web-based applications can be provided. User account mapping options The first choice involves how Active Directory accounts are mapped to the application user accounts. Depending on the application, there are the following options: Use an Active Directory field: Use this option if the user accounts are based on Active Directory user names. Specify an Active Directory field such as mail or userprincipalname. Everyone shares the same user name and password: Use this option if access to an account is to be shared but the user name and password are not. For example, some people share an application developer account. User provides the user name and password: Use this option if the application user accounts are not related to Active Directory and each user has his or her own login information. The user enters the user name and password the first time that he or she launches the application from the Centrify portal or app. The Centrify Cloud Service retains the login information so that the user doesn t have to try to remember it or store it in a non-secure location. Login script: The user account mapping can be customized by supplying a custom script to generate the user account login name. Application types There are also different kinds of applications that can be added and deployed to users. The Centrify App Catalog lists the name and application type for each application. Web application with user name and password authentication: Some web applications are configured for user name and password authentication only. This option is used if either the application only supports user name and password authentication or if the application is not going to be configured for SAML SSO at this time. Web application with SAML authentication: This option is used if the application account has SAML SSO as an option and the application will be configured to use SAML SSO. Bookmark application: The option is simply a link to the URL of the application but doesn t provide any login authentication mechanism. A bookmark application can be used to provide a convenient link to an internal application available to users. Add the Generic Bookmark application to the list of applications, and then configure the application with the desired application URL CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 10

14 SAML SSO options There are also options for applications that support SAML authentication. Different applications provide different authentication options. The main choices are: Identity Provider (IdP)-initiated only Service Provider (SP)-initiated only IdP-initiated or SP-initiated The Identity Provider (IdP) is a service such as the Centrify Cloud Service which provides a way to authenticate users securely. A Service Provider (SP) is the provider of the web application, such as Salesforce, Office 365 or Google Apps; the service provider uses the SAML tokens produced by the IdP. Samsung KNOX Active Directory-based Single Sign-On works with both IdP-initiated and SP-initiated SAML SSO. If the application provider offers both IdP-initiated and SP-initiated SAML SSO, choose which one to use and configure the application accordingly. Here are some things to consider: In most cases, if IdP-initiated SAML SSO is deployed, users can still access the application directly using their user name and password. If SP-initiated SAML SSO is deployed, users are redirected to the MyCentrify portal if they attempt to log in directly to the web application. Some applications prevent user name and password logins. Configuring and deploying mobile applications to Samsung KNOX containers This section describes how to deploy mobile applications to the Samsung KNOX container. As with deploying web-based apps, mobile applications are deployed to Samsung KNOX containers using the Centrify Cloud Manager; however, there are some procedural differences. Note the following important points about deploying mobile applications for use in a Samsung KNOX container: In order for a mobile application to use SSO inside of a Samsung KNOX container, the mobile application vendor must use the Centrify Samsung SDK to enable their mobile application for SSO inside the Samsung KNOX container. Not all applications are appropriate for SSO; for example, a SSO is not needed for an application that does not require a login (such as a clock, for example). Before an Android application can be deployed for the Samsung KNOX container, the mobile application must be signed by Samsung, Centrify, or another MDM/MCM vendor in a process referred to as App wrapping, (also known as Redexing). Only mobile applications that have been wrapped can be installed into the Samsung KNOX container CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 11

15 When deploying a Samsung KNOX-wrapped mobile application, use the Android InHouse application from the Centrify app catalog. Google Play applications cannot be deployed into the Samsung KNOX container. When deploying a Samsung KNOX-wrapped mobile application that is also configured for SSO, a corresponding SAML application must also be deployed to the same set of users who get the mobile application. Using Samsung KNOX Active Directory-based Single Sign-On Samsung KNOX users have three ways to use Active Directory-based Single Sign-On enabled applications: 1. MyCentrify web-based user portal: Users can gain access to approved SSO-enabled web applications by going to the MyCentrify portal using a browser from any internet-connected device. An Active Directory username and password is required to enter the portal. Clicking the app from the list launches the app in the browser and the SSO service authenticates the user without the need to provide a username or password for each application. This portal can also be used for deploying optional apps, managing devices and provides the user with a number of selfservice administrative functions, such as changing the user s Active Directory password. 2. Centrify for KNOX app: The Centrify for KNOX app is installed in the user s KNOX container and is used to access and run all authorized web-based applications. Users who enter their KNOX password to start the KNOX environment receive a certificate-based token which allows the Centrify for KNOX app to run without the user being prompted for a password. Users can then run web-based apps by simply selecting the app from the list, again without needing to provide login credentials. There is also a Centrify app that runs in the standard Android environment on a Samsung KNOXcapable device. This app is used to configure the SSO and Active Directory integrated experience including enrolling the device in the Centrify Cloud Service. Once enrolled, the service then issues PKI Certificates that identify the user and the device to the cloud service. These certificates enable strong mutual authentication of the device to the cloud service for all subsequent communications to ensure that the device is communicating with the trusted security service provider. The Centrify Cloud Service can then both manage the device and the KNOX Container security policies (depending on the Group Policy configuration chosen by the administrator) as well as provide Zero Sign-On services. 3. SSO-enabled mobile apps running in the KNOX container: Users and administrators can also deploy special versions of popular native Android apps that have been modified to run in the KNOX environment and use the KNOX SSO APIs. These apps run just like standard Android apps except they support SSO, meaning users do not have to enter their credentials to access the app. The following sections provide more details on each of these three options CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 12

16 Using the MyCentrify web-based user portal Users first log in to MyCentrify, their single portal that provides access to their web applications, their mobile devices, and their Active Directory account profiles. The MyCentrify portal is delivered through the Centrify Cloud Service. MyCentrify web-based user portal The MyCentrify portal provides users a single location from which they can access all of their business web applications. Also, users can access their web applications without having to enter a separate user name and password each time they need to access an application. Users can also easily organize their web applications with tags that they create. Administrators can empower users with Samsung KNOX Active Directory-based Single Sign-On by providing them with a simple, self-service portal where they can change their network password and update their personal information that is stored in Active Directory. Users can also easily manage their own devices, track the location of their devices, and remotely lock or wipe data from those devices in cases of loss or theft CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 13

17 Using the two Centrify mobile apps on a Samsung KNOX device There are two Centrify mobile apps that run on a Samsung KNOX device. The first Centrify app, simply called Centrify, gets installed from the Google Play store and runs in the standard Android environment. This app is used for: enrolling and unenrolling the device in the Centrify Cloud Service and Active Directory creating the KNOX container establishing the certificate-based trust between the cloud service, the device and the user, which enables the SSO experience reviewing and setting up mobile apps and app updates that get installed in the KNOX container reviewing and deploying centrally-managed policies for both the device and the container. Once a mobile app is listed and installed via this tool, it appears as an installed mobile app in the KNOX container. The second Centrify app, called Centrify for KNOX, runs exclusively in the KNOX container. This mobile app is installed from the Samsung KNOX Apps store and is used to access web-based, SSOenabled applications that have been setup by the user or the IT administrator using the Centrify Cloud Manager or the MyCentrify web-based user portal. Users run these SSO-enabled web apps by simply selecting the app from the list that is displayed. Centrify app for Android Centrify for KNOX app for KNOX Container 2013 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 14

18 Using SSO-enabled mobile apps running in the KNOX container The third way to run SSO-enabled apps in the KNOX environment is to execute a special class of native Android apps in the KNOX container environment. These apps are special in two ways. First, the app has been put through a process to digitally sign the app to allow it to run in the KNOX container environment. This signing process, which can be done by Samsung, Centrify or other MDM vendors, ensures that the app is safe and approved to run in the KNOX container environment. Only Android apps that have been put through this process can run in the KNOX container. Other standard Android apps cannot be installed in the container to decrease the possibility of a rogue app introducing malware into the container. The second characteristic of this class of mobile applications is the support for SSO. These apps have been modified by the app vendor to incorporate and take advantage of Centrify s SSO APIs that are a unique feature of the KNOX environment. By adding certificate-based SSO capabilities to a mobile app, the user no longer needs to enter a username and password to use the app but instead is automatically authenticated by the Centrify Cloud Service. This relieves the user of the burden of remembering passwords for each app and also gives access control to the IT administrator who can turn access to the mobile app on or off. Box and DropBox are examples of SSO-enabled KNOX apps 2013 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 15

19 Summary This concludes the overview of the Samsung KNOX Active Directory-based Single Sign-On capabilities. This unique capability not only helps users to be more productive and secure but also provides IT management with powerful tools for controlling access to important IT applications and data. Centrify also provides Single Sign-On products for a number of mobile platforms. For more information on these products, visit the Centrify web site or contact a Centrify sales representative. Where to go for more information For more information, please review the documentation and help pages for the various components of the Samsung KNOX Active Directory-based Single Sign-On solution: The Samsung KNOX Active Directory-based Mobile Container Management and Single Sign-On Installation and Configuration Guide provides the installation and configuration instructions for two solutions from Centrify that are part of Samsung KNOX. o Samsung KNOX Active Directory-based Mobile Container Management: A comprehensive suite that simplifies user authentication, mobile device and Samsung KNOX container management, and application deployment. o Samsung KNOX Active Directory-based Single Sign-On: An easy-to-integrate solution that provides silent authentication for applications opened from within the Samsung KNOX container. The Centrify Cloud Manager online help provides task-oriented information for administrators who need to modify applications, manage roles and users, and configure settings in the Centrify Cloud Manager. To open this, click Help from the user name menu in the Centrify Cloud Manager. The Centrify Cloud Manager Application Configuration help provides specific details for configuring each kind of application individual web-based applications for SSO, user-password applications, and mobile applications. To open this, click the Help link from an application in the App Catalog or an Application Settings dialog box. The MyCentrify help provides task-oriented information for users to navigate and launch their deployed applications, view their activity, manage their own mobile devices, and specify some Active Directory settings. To open this, click Help from the user name menu in the MyCentrify user portal. For more information on Samsung KNOX visit the All Things KNOX Resource Center at: CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 16

20 How to Contact Centrify Worldwide Headquarters Centrify Corporation 785 N. Mary, Suite 200 Sunnyvale, CA United States Product & Sales Information North America: +1 (408) EMEA: +44 (0) APAC Latin America: Phone: +1 (408) Online: CENTRIFY CORPORATION. ALL RIGHTS RESERVED. PAGE 17