API Guide

The following figure shows the components of Centrify Identity Platform. Subsequent sections describe these components in detail.

User stores

Identity Platform provides a built-in user directory — Cloud User Service — that you can access through the API for user provisioning. See Creating users for information on how to call the API to add, modify, and delete users for your application in Centrify User Service.

You can also connect to an existing Active Directory or LDAP store, instead of, or in addition to, using Centrify Cloud Directory. When using an external user store, such as AD, you add, modify, or delete users directly in Active Directory/LDAP, which requires no calls to the REST API. Using generic user functions shows how to make AD/LDAP users available to Identity Platform.

Authentication engine 

The Authentication Engine leverages Active Directory, LDAP, the Cloud Directory, or a combination of these services, to manage authentication and access to apps, servers and infrastructure, shared accounts, and user devices. All calls to the API require authentication. See Generating authentication cookies for details and Authenticating users for details on how to implement authentication with the API.

Integrated into the authentication engine is multifactor authentication (MFA), which allows you to implement additional authentication requirements through SMS, voice call, security question, email, single-tap one-time passcode, or automated push notification to mobile devices.

Multifactor authentication (MFA) and policy engine

Policies allow fine-grained control over the following areas of the cloud service:

  • Mobile device policies  — Control device management and enrollment. Note that the policy API exposes access to capabilities that are specific to particular manufacturers, for example,  iOS and Samsung.        

  • Account security policies  — Manage account security, including password reset and password requirements such as length and complexity. The policy engine also supports setting and enforcing multifactor authentication, that is, requiring users to provide additional authentication, such as a code retrieved from a text message or email.

  • Application policies  — Specify whether users are allowed to add applications to their devices.

  • Resource management policies  — Control access to network resources in Privilege Service .        

The policy API also allows you to enhance simple MFA by implementing strong authentication for specific apps, servers and accounts, or other infrastructure.

Reporting engine

The reporting engine provides a number of built-in reports that allow administrators to obtain detailed information about users, applications, devices, and so on. However, the real power behind the reporting engine is the query interface that allows you to provide a completely flexible user interface for designing and building custom reports.

See Using queries for details.

Secure data storage

The Centrify Cloud Service is a true multi-tenant data architecture, with per-tenant encryption, hosted on Microsoft Azure. Depending on your needs, you can choose from additional options for different levels of data and compute isolation in the Centrify Cloud

A security overview of the Centrify Cloud describes the overall architecture of Centrify Identity Platform, including details about the security architecture.