Settings UI fields

You use the Admin Portal Settings page to configure the following Privileged Access Service options. Before you develop your Privileged Access Service deployment plan, review these options. Some of them may be necessary to support certain mobile devices (for example, the Apple Push Notification Service certificate for iOS devices) while others are optional (Account Customization and Exchange ActiveSync Server Settings).

Modifying a setting requires specific Admin Portal administrative rights.The third column lists the required rights. To learn more about the roles and rights required to make these changes see Admin Portal administrative rights.

Setting Why you use this setting Role or rights needed to modify these settings

Account Customization

Customize the Admin Portal login prompts and email messages to incorporate your organizations brand and logos. See How to customize the admin and login window.

Sysadmin role

Authentication Profiles

Define the required authentication mechanisms such as password, email confirmation code, mobile authenticator, etc. You use the authentication profile when you create your authentication rule or when you are configuring Server Suite authentication.

See Creating authentication profiles.

Sysadmin role

Admin Portal

Display the list of Centrify Connectors, configure Integrated Windows Authentication settings, and add or delete a Centrify Connector.

See How to install a Centrify Connector.

Sysadmin role to modify all settings

Register Connectors permission to add a connector

Corporate IP Range

Specify the public IP addresses you want to include within the corporate intranet. Privileged Access Service uses these addresses for Integrated Windows Authentication and application multifactor authentication.

See How to set Corporate IP ranges.

Sysadmin role

Directory Services

Add LDAP or Google as your directory service and view existing configured directory services.

See How to add a directory service.

Sysadmin role

Idle User Session Timeout

Enable a timeout and set the time period to log out inactive users from Admin Portal and Privileged Access Service Admin Portal.

See How to configure idle session timeout .

Sysadmin role

Login suffix

Create a list of the login suffixes (the name that follows @ in the full user name) that users enter to log in to the Privileged Access Service Admin Portal and enroll devices. Users that do not have a login suffix in this list cannot log in to the portals or enroll a device.

See How to use login suffixes.

Sysadmin role

OATH Tokens

You can authenticate the Privileged Access Service using your existing third-party OATH tokens (for example, those generated by a YubiKey) by bulk uploading those tokens. Privileged Access Service uses those tokens to generate one-time passcodes (OTP) that users with enrolled devices can immediately use to log in to the Admin Portal.

See How to configure OATH OTP.

Sysadmin role

Partner Management

Allows you to add business partners so that you can share your Privileged Access Service with your partners. Partner federation is achieved through SAML, where your tenant serves as the host (the Service Provider in SAML terms), and your business partners access the tenant and its associated resources by passing a SAML token obtained from their Identity Provider (IDP).

See How to set up business partner federation.

Sysadmin role


Run application user provisioning synchronization, configure the provisioning report options, and specify daily synchronizations.

Sysadmin role

RADIUS Connections

Allows you to configure your RADIUS clients/servers. You can use the Centrify Connector as a RADIUS server for clients that support RADIUS authentication, such as VPNs. Additionally, you can configure RADIUS server settings to allow third-party RADIUS authentication.

See How to configure Privileged Access Service for RADIUS.

Sysadmin role

SafeNet KeySecure Configuration

Configure communication between the Privileged Access Service and the SafeNet KeySecure appliance if you want to use KeySecure to store Centrify privilege service account passwords.

Sysadmin role

Security Settings

Define security related settings such as securely capture users' passwords at login or enabling forgotten username self-service.

See How to set authentication security options for more information.


Server Suite Authentication

Add or select an authentication profile to use for multi-factor authentication on Centrify-managed Linux and UNIX computers. The authentication profile determines the authentication mechanism from which users can select how they are authenticated.

See Preparing authentication profiles.

Sysadmin role

System Configuration

To configure a custom SMTP server to for outgoing mail service such as MFA challenges and self-service features. You can also choose to connect to the custom SMTP server using the Centrify Connector.


Tenant URLs

Create a URL that is specific to your company so your users can easily remember the Privileged Access Service URL. Newly created URLs may take a few minutes to propagate.

If you have users using FIDO2 authenticator(s), those users will need to log in with the new URL and re-activate their keys. See Using FIDO2 authenticators with a new tenant URL for more information.

URL requirements:

  • Always begin with an alphabet
  • Maximum of 63 characters
  • Can only contain alphabets, numbers, and dashes (-)

Sysadmin role