Integrating two Centrify tenants

Federating two Centrify tenants requires that SAML federation and OAuth2 password grant are set up between the Centrify tenants.

  • SAML federation is required for Centrify users to access the Admin Portal.
  • OAuth2 password grant for agent and step-up authentications for Centrify users in Admin Portal and agents.

Setting up the Centrify tenant(s)

The first Centrify tenant is set up by performing two main tasks:

  • SAML Federation Setup

  • OAuth2 Setup

Setting up SAML Federation

To set up SAML federation, perform the following steps:

  1. Establish a business-to-business federation setup to the Centrify tenant (the federation tenant) by creating a business-to-business application. Refer to the steps in Custom SAML applications to do this.

  2. For the SAML response script, choose from one of the following ways to map by using either:

    • attribute mapping or
    • custom mapping script

    Attribute mapping

    Enter a value for each of the following attributes:

    Attribute name Attribute value
    UserPrincipalName LoginUser.Username
    UUID LoginUser.Uuid
    DisplayName LoginUser.DisplayName
    Email LoginUser.Email
    MobileNumber LoginUser.MobileNumber
    Group LoginUser.RoleNames

    Custom mapping script

    Run the following custom mapping script:

    /* Centrify Federation */

    setAttribute("UserPrincipalName", LoginUser.Username);

    setAttribute("UUID", LoginUser.Uuid);

    setAttribute("DisplayName", LoginUser.DisplayName);

    setAttribute("Email", LoginUser.Email);

    setAttribute("MobileNumber", LoginUser.MobileNumber);

    setAttributeArray("Group", LoginUser.RoleNames);

  3. Add the API security domain.
    1. In the Admin Portal, navigate to Settings > Authentication > Security Settings
    2. Under API Security, click Add.
    3. In the text box that appears, enter the security domain then click Add.
    4. Select the checkbox next to the newly added security domain.
    5. Click Save.

Setting up OAuth2

To set up OAuth2, perform the following steps:

  1. Set up the Centrify tenant as an OAuth2 server by performing the steps in Custom OAuth2 Server.
  2. Under the Settings tab, ensure the following fields have the values listed:

  • Application ID: CentrifyFederation.

  • Name: Centrify Federation OAuth2 Server.

  1. Under the General Usage tab, ensure the following fields have the values listed:
  • Client ID Type: Confidential.
  • Enable Must be OAuth Client.
  1. Under the Tokens tab, ensure the following field has the value listed:
  • Auth Methods: Resource Owner.
  1. No scopes are needed.
  2. Create the associated confidential client (the Cloud user).

    Note:   The client name and secret (password) for Centrify setup.

Setting up the Centrify tenant

The following show you how to set up a partner with the other Centrify tenant.

  1. Set up a partner federation. Refer to the steps in How to set up business partner federation to do this.

  2. Under Settings tab, ensure the following fields have the values listed:

  • Partner name: Centrify.

  • Add the domains of the Centrify users as Federated Domains.

  1. Under the Authentication tab, ensure the following fields have the values listed:

  • User "Required" mapping of federated users.
  • UserPrincipalName mapping attribute.
  • By Name mapping.
  • Set OAuth2 URL to: https://<IdT id>.my.centrify.app/Token/CentrifyFederation.
  • Set OAuth2 client name to client name used in the Centrify tenant OAuth2 setup.
  • Set OAuth2 client secret to client secret (password) used in the Centrify tenant OAuth2 setup.
  • Enable Update cloud users with Federated user attributes.
  • Enable Add mapped users to federated groups.
  • Enable Create cloud users when mapping not found.