With Privileged Access Service, you can choose single-sign-on (SSO) access to the CloudLock web application with IdP-initiated SAML SSO (for SSO access through the Admin Portal) or SP-initiated SAML SSO (for SSO access directly through the CloudLock web application) or both. Providing both methods gives you and your users maximum flexibility.

If CloudLock is the first application you are configuring for SSO through Privileged Access Service, read these topics before you get started:

CloudLock SSO requirements

Before you configure the CloudLock web application for SSO, you need the following:

  • An active CloudLock account with administrator rights for your organization.

  • An Assertion Consumer Service URL from CloudLock.

  • A signed certificate.

  • You can either download one from Admin Portal or use your organization’s trusted certificate.

Adding and configuring CloudLock in Admin Portal

Tip:     It is helpful to open Centrify Admin Portal Application Settings and the CloudLock web application simultaneously to copy and paste content between the two browser windows. For information on how to access the CloudLock web application, see Configuring CloudLock for SSO.

Configuring CloudLock for SSO

The following steps are specific to the CloudLock application and are required in order to enable SSO for CloudLock. For information on optional Centrify Admin Portal configuration settings that you may wish to customize for your app, see Optional configuration settings.

For more information about CloudLock

For more information about configuring CloudLock for SSO, contact CloudLock Support.

CloudLock specifications

Each SAML application is different. The following table lists features and functionality specific to CloudLock.



Support details

Web browser client



Mobile client



SAML 2.0



SP-initiated SSO


Users may go directly to the CloudLock URL and then use the Privileged Access Service SSO to authenticate.

IdP-initiated SSO


Users may use SSO to log in to CloudLock through the Admin Portal.

Force user login via SAML only



Separate administrator login
after SSO is enabled



User or Administrator account lockout risk


Users can log in using other SSO methods, such as Office365.

Automatic user provisioning



Multiple User types



Self-service password



Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.