MaaS360 - Verify integration user experience

Information about how the MaaS360® integration with the Verify service protects cloud apps, requires no on-premises integration, and enhances the user experience.

The MaaS360 certificate authority issues Identity Certificates to all enrolled devices that are eligible for the Verify service. The administrator does not need to use Cloud Extender® to set up and integrate a PKI environment with MaaS360. This integration also uses native iOS SSO, so authentication is seamless and the user does not need to provide a password each time they access an app.

Integration workflow

The following diagram outlines the integration workflow for a user:

The user accesses the app on an iOS or Android device, and then enters an email address for authentication.
The request is sent to the cloud app. The cloud app recognizes the organization that the user belongs to based on the domain in the email address. The cloud app identifies that the organization uses IBM® Security Verify as an Identity Provider (IDP) for authentication. The authentication request is now redirected to Verify.
Verify runs a Kerberos service in the cloud environment. This Kerberos service challenges the device for authentication.
The device recognizes that the authentication challenge is sent to an SSO-enabled app and that the challenge originates from a Kerberos realm from the SSO payload. iOS intervenes and responds back to the Kerberos authentication challenge with the Identity Certificate that was provisioned by MaaS360.
The Kerberos service recognizes the Identity Certificate from this integration and successfully authenticates the user. If conditional access is enabled, Verify also ensures that the device is compliant according to corporate policies enforced by MaaS360.
After successfully passing all checks, Verify issues a valid SAML token to the app.
The app contacts the cloud service and presents the SAML token. The user is now successfully authenticated and is allowed access to the cloud resource.