Centrify Identity Services API

Centrify Identity Services provide a secure platform for managing application access, endpoints, and your network infrastructure and an ecosystem for producing adaptive analytics, auditing of user activity, and built-in and custom reports.

Core Services

A key component of the Centrify Identity Services ecosystem is a set of Core Services that form the secure foundation for all other services and features to provide the next dimension of security for the hybrid enterprise. The core services provide the underpinnings for managing users, roles, policies, reports, and access requests.

The following figure illustrates how the core services and secure data storage act as the base for all other services.

To see more information, click the following links:

User identity and directory service

One of the core services for managing users is a built-in directory service—the Centrify directory service. You can use API calls to access the service programmatically to perform common tasks such as user provisioning. See Creating users for information on how to call the API to add, modify, and delete users for your application in Centrify User Service

You can also connect to an existing Active Directory, LDAP, or Google identity store, instead of, or in addition to, using the Centrify directory. If you are using an external identity store, such as Active Directory, you add, modify, or delete users directly in the external identity store using the appropriate tools provided by that identity store. For example, if you manage users using Active Directory, calls to the REST API are not required. However, you can use generic user functions to make users from an external identity store available to other Centrify identity services. For more information, see Using generic user functions.

Role-based authentication

The Authentication engine leverages Active Directory, LDAP, the Centrify directory, or a combination of these services, to manage authentication and access to applications, servers and infrastructure, shared accounts, and user devices. All calls to the API require authentication. See Generating authentication cookies for details and Authenticating users for details on how to implement authentication with the API.

Integrated into the authentication engine is multi-factor authentication (MFA), which allows you to implement additional authentication requirements through SMS, voice call, security question, email, single-tap one-time passcode, or automated push notification to mobile devices.

Policies and multi-factor authentication (MFA)

Policies allow fine-grained control over the following areas of the cloud service:

  • Mobile device policies — Control device management and enrollment. Note that the policy API exposes access to capabilities that are specific to particular manufacturers, for example, iOS and Samsung.
  • Account security policies — Manage account security, including password reset and password requirements such as length and complexity. The policy engine also supports setting and enforcing multifactor authentication, that is, requiring users to provide additional authentication, such as a code retrieved from a text message or email.
  • Application policies — Specify whether users are allowed to add applications to their devices.
  • Resource management policies — Control access to network resources in Privilege Service.

The API also allows you to enhance simple MFA by implementing strong authentication for specific apps, servers and accounts, or other infrastructure.


The reporting engine provides a number of built-in reports that allow administrators to obtain detailed information about users, applications, devices, and so on. However, the real power behind the reporting engine is the query interface that allows you to provide a completely flexible user interface for designing and building custom reports. For details, see Use Queries.

Access requests

The core services enable you to define request and approval work flows for access to applications, privileged accounts, or roles with elevated privileges.

Secure data storage

The Centrify Identity Services security architecture includes per-customer encryption, distributed storage, and redundancy. Depending on your needs, you can choose from additional options for different levels of data storage and isolation.

For details about the security architecture, see Centrify security overview.

Applications, endpoints, and infrastructure services

In addition to the core services, you can use the Centrify REST API create, retrieve, update, and delete information for applications, endpoints such as mobile devices, and privileged accounts and network resources. You can use the API to access and manipulate information all of the objects, features, and functionality provided by Centrify services for which you have entitlements.

Getting access to the API

Before you can use the Centrify Identity Services API to explore and experiment, your organization must be subscribed to at least one Centrify service. If you have access to a Centrify Identity Services customer-specific URL, you can browse functions and use the API in custom scriptts and applications.

Additional access options for developers

If you plan to make extensive use of the identity service API, you might want to join the Centrify Developer Partner Program to get access to additional development resources.

If you do not have access to a customer-specific URL but are an independent software vendor and want to set up single sign-on (SSO) for applications to run on Centrify Identity Services platform, you can request a free Centrify Express account to access the API.

What you should know to get started

If you have access to a customer-specific URL, custom URL, or a Centrify Express account, you are ready to get started working with the API. To ensure a successful experience, you should be familiar with the following programming formats and tools:

  • JSON (JavaScript Object Notation) format. The API uses JSON for the payload and the response.The encoding is JSON/UTF-8.
  • cURL, Postman, or a similar tool for executing HTTP requests.
  • Fiddler, Chrome Developer Tools, or similar tools for tracing and debugging existing request flows.

Centrify Identity Services API