Abstract: Examples of detecting whether a device meets an enrollment level are disclosed. In one case, a method for providing access to an application on a client device includes receiving a request to access an application from the client device, determining an enrollment level associated with the application, and determining that multi-factor authentication is required for access to the application on the client device based on the enrollment level associated with the application. The method can also include initiating multi-factor authentication on the client device before access to the application is permitted. The method can also include determining that multi-factor authentication is successful on the client device, transmitting a management component to the client device, and installing the management component on the client device for enrollment as a managed device with a management service.

Abstract: A system and method for supplying on-premise hyper-converged systems uses a cloud service to receive orders for the on-premise hyper-converged systems from customers and to request a system integrator to procure hardware components of the on-premise hyper-converged systems and to assemble hardware components to produce assembled systems. Software components are remotely installed and configured in the assembled systems from the cloud service using bring-up appliances in virtual private clouds created for the on-premise hyper-converged systems to deploy software-defined data centers (SDDCs) in the on-premise hyper-converged systems. The resulting on-premise hyper-converged systems with the deployed SDDCs can then used by the customers.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. An enrollment request is received from a management component executed by a client device. A management service generates a unique device identifier for the client device and embeds it within a certificate to generate a device-identifying certificate. The management service instructs a certificate authority service to generate a public key that includes the unique device identifier and a private key for the client device, and provides the device-identifying certificate and the private key to the client device.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. In some examples, an authentication request is transmitted to an identity manager. Instructions to negotiate a ticket are received from the identity manager. A ticket is negotiated from a key distribution center using a certificate comprising a unique device identifier of the client device. The unique device identifier is embedded in the ticket by the key distribution center based on verification that the certificate is valid. Authentication of the client device is completed through the identity manager using the ticket.

Abstract: Disclosed are various examples for providing a single sign-on experience for managed mobile devices. A management application executed in a computing device receives a single sign-on request from a managed client application executed by the same computing device. The management application determines that the client application is permitted to access a management credential for single sign-on use. The management application provides the management credential to the client application in response to the single sign-on request.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: A system and method for supplying on-premise hyper-converged systems uses a cloud service to receive orders for the on-premise hyper-converged systems from customers and to request a system integrator to procure hardware components of the on-premise hyper-converged systems and to assemble hardware components to produce assembled systems. Software components are remotely installed and configured in the assembled systems from the cloud service using bring-up appliances in virtual private clouds created for the on-premise hyper-converged systems to deploy software-defined data centers (SDDCs) in the on-premise hyper-converged systems. The resulting on-premise hyper-converged systems with the deployed SDDCs can then used by the customers.

Abstract: Examples of detecting whether a device meets an enrollment level are disclosed. In one case, a method for providing access to an application on a client device includes receiving a request to access an application from the client device, determining an enrollment level associated with the application, and determining that multi-factor authentication is required for access to the application on the client device based on the enrollment level associated with the application. The method can also include initiating multi-factor authentication on the client device before access to the application is permitted. The method can also include determining that multi-factor authentication is successful on the client device, transmitting a management component to the client device, and installing the management component on the client device for enrollment as a managed device with a management service.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: Various examples of detecting whether a device meets an enrollment level are disclosed. A request to authenticate a user based upon user credentials is obtained. Applications for which the user is authorized are identified. An enrollment level associated with each of the plurality of applications is also identified. A user interface including the plurality of applications and the enrollment level associated with each of the plurality of applications is generated.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an application executed in a client device. The identity provider service can then detect a platform associated with the client device. A response to the request can be sent based at least in part on the platform, where the response requests authentication by a management credential. Data generated by the management credential is received from the client device, and the management credential is determined to be valid for the identity assertion. The identity assertion is then sent to the client device in response to determining that the management credential is valid for the identity assertion.

Abstract: Disclosed is a system and technique for validating a user for a single sign on without exposing secure information about the user to any part of the system except the connection server and the identity provider. In the technique, instead of relying directly on a SAML assertion, the technique uses an artifact representing the assertion and wraps the artifact in an access token. The access token is able to carry the artifact through one or more gateways on its way to a connection server without revealing any security information. Upon the access token being verified by either the gateway or the connection server, the artifact can be extracted from the access token and verification of the user for the single sign on can proceed between only the connection server and the identity provider.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an application executed in a client device. The identity provider service can then detect a platform associated with the client device. A response to the request can be sent based at least in part on the platform, where the response requests authentication by a management credential. Data generated by the management credential is received from the client device, and the management credential is determined to be valid for the identity assertion. The identity assertion is then sent to the client device in response to determining that the management credential is valid for the identity assertion.

Abstract: A computer-implemented method for automatically registering an application with an enterprise system is disclosed. The method accesses an application utilizable with the enterprise system. Generates an application access template for the application, including: generating information specific to the application that is able to be utilized with the enterprise system, and generating parameters specific to the application that is able to be utilized with the enterprise system. The method defines, in the application access template, a basic authorization protocol information; and utilizes the application access template for a subsequent dynamic registration of the application with the enterprise system.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. In some examples, an authentication request is transmitted to an identity manager. Instructions to negotiate a ticket are received from the identity manager. A ticket is negotiated from a key distribution center using a certificate comprising a unique device identifier of the client device. The unique device identifier is embedded in the ticket by the key distribution center based on verification that the certificate is valid. Authentication of the client device is completed through the identity manager using the ticket.

Abstract: Disclosed is a system and technique for validating a user for a single sign on without exposing secure information about the user to any part of the system except the connection server and the identity provider. In the technique, instead of relying directly on a SAML assertion, the technique uses an artifact representing the assertion and wraps the artifact in an access token. The access token is able to carry the artifact through one or more gateways on its way to a connection server without revealing any security information. Upon the access token being verified by either the gateway or the connection server, the artifact can be extracted from the access token and verification of the user for the single sign on can proceed between only the connection server and the identity provider.

Abstract: Disclosed are various examples for determining whether a client device complies with compliance rules while authenticating a user account. A client certificate can include an identifier corresponding to a client device. An identity provider can extract the identifier while authenticating the user account. The identity provider can determine whether the client device complies with compliance rules prior to authenticating the user account on the client device.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.

Abstract: Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an application executed in a client device. The identity provider service can then detect a platform associated with the client device. A response to the request can be sent based at least in part on the platform, where the response requests authentication by a management credential. Data generated by the management credential is received from the client device, and the management credential is determined to be valid for the identity assertion. The identity assertion is then sent to the client device in response to determining that the management credential is valid for the identity assertion.

Abstract: Disclosed are various examples for providing a single sign-on experience for mobile applications that may or may not be managed. A first application executed in a client device sends an access request to a service provider. The first application receives a redirection response from the service provider that redirects the first application to an identity provider. The first application then receives a further redirection response from the identity provider that causes the first application to request an identity assertion from a second application executed in the client device. The first application receives the identity assertion from the second application. The first authentication then authenticates with the service provider using the identity assertion.