Adding a partner

You add the partner in Admin Portal to enable sharing on your end. You will need the group attribute values and IDP metadata from your partner to finish the configuration.

To create a partner

1. Log in to Admin Portal.

2. Click Settings, Users, Partner Management and Add.

   

3. Enter a unique partner name.

4. Ensure your SAML file includes the required elements.

   SAML 2.0 is automatically selected because we currently only support this federation type.

   The following attributes are consumed by federations with other Cloud customers.

   userprincipalname is a mandatory attribute that needs to be configured in the IdP SAML configuration.

   Additional attributes are supported and can be configured with the partner IdP SAML configuration. These can also be configured on the Service Provider side with the B2B application template.

   Mandatory attribute:

   userprincipalname (mandatory)

   Additional supported attributes:

   • DisplayName
   • Description
   • Email
   • Group
   • HomeNumber
   • LoginName
   • MobileNumber
   • OfficeNumber

   For example:

   setAttribute("userprincipalname", LoginUser.Get("userprincipalname"));

5. Click Add associated with the Domain Name field to enter a unique domain name.

   This domain name will be used as the login suffix for all partner users. It allows Centrify to recognize users as coming from a specific IDP and redirects them accordingly. For example, you may want to use the business partner company name (for example companyABC.com) as the domain name.

6. Click Add to add the domain name to the table.
7. Click Group Mappings, Add to create a mapping of the group attribute values (i.e. partner roles for other Centrify tenants, or groups for partners using ADFS) to your groups.

8. Enter the partner role or ADFS group (ADFS federation) into the Group Attribute Value column, then either select an existing group in the Group Name column or enter a new name.

   You do this to map the partner roles/ADFS groups (information you should have received from your partner) to your groups. Each group needs to be a member of at least one role in your tenant. See Assigning host groups to roles.

9. Click Inbound Metadata to configure IDP settings (using the IDP metadata you received from your partner) for this partner using one of the following options:

   • Option 1: Upload the IDP configuration from URL. To use this option, paste the Identity Provider SAML Metadata URL provided by your partner.
   • Option 2: Upload IDP configuration from a file. If your partner provided the Identity Provider SAML Metadata in an XML file, you can upload it here.
   • Option 3: Manual Configuration. Manually enter the relevant information. This is not a recommended option.

10. Click Outbound Metadata to provide IDP configuration settings (using the IDP metadata to send to your federating partner) for your partners using one of the following options:

    • Option 1: Service Provider Metadata URL. Copy this link and paste at the partner IdP SAML configuration.
    • Option 2: Download Service Provider Metadata. Upload this file at the partner IdP SAML configuration.
    • Option 3: Manual Configuration. Copy and paste this information at the partner IdP SAML configuration.
11. Click Authentication to configure mapping federated users to existing directory users.

    By default, when a federated user logs in a new user is created in the Centrify Directory, even if a user already exists in a source directory (Centrify Directory, AD, LDAP, or Google) that has the same uuid or username. This feature maps the authenticated user to an existing user (if possible) before creating a new Centrify Directory user. By default, assertions of the federated user are ignored in favor of the attributes of the mapped user.

    1. (optional) Select Enable URL redirecting if you want incoming federated users to be redirected to the target URL (as defined by the RelayState).

       If you enable URL redirecting, you can also limit redirection to a RelayState matching the URL pattern. If the field is empty, all URLs are allowed. The URL pattern is a wildcard pattern starting with https://. For example, https://www.example.com*.

       

    2. Select Optional or Required in the Map federated user to existing directory user drop-down menu to enable the feature.

       

    • Selecting Optional means authentication of a mapped federation user results in the user of the mapped directory service. If a user cannot be mapped, a new Federated user is created.

    • Selecting Required means the user of a federation will authenticate as the matching user of another directory service. If no match is found, login is denied. If Create cloud user if unable to map is also enabled, a matched Centrify Directory user is created and login is permitted.

    1. (Optional) Enter a federated user mapping attribute.

       The default value is UserPrincipalName, since it is a required assertion.

       The federated user mapping attribute must be in the SAML assertion and map to either the Name or Uuid source directory attributes. If you change this value to an attribute that is not in the assertion and/or does not map to a unique attribute in a source directory, the mapping will fail.

    2. Select a directory user mapping attribute; either Name or Uuid.

    3. (Optional) Select a preferred directory service to search first for existing users.

       After the preferred directory service, remaining directory services are searched according to their creation date.

    4. (Optional) Select Update cloud users with federated user attributes to update a mapped Centrify Directory user with the federated assertions.

12. Click Device OS to select which mobile device operating systems the federation applies to.

    To enforce Centrify MFA for users on selected device types, Map federated user to existing directory user must be set to Required.

    You can choose Any Device (the default selection), or select from the following:

    • Android
    • iOS
    • All Others

    

    To avoid iPadOS devices from bypassing the mobile device detection and IdP routing, inform your iPadOS device users to do the following:

    • Verify that their browser is requesting the mobile site from any SP URLs.

      For example, to configure Safari to request mobile sites by default: In iPad settings, navigate to Safari Settings > Request Desktop Website and then turn off the All Websites setting.

    • Use the Native app of the target application or use the Centrify application to launch the app.

Adding an Idaptive partner

For information on adding an Idaptive partner, see the Integrating Centrify Privileged Access Service and Idaptive tenants documentation.

Adding an Okta partner

For information on adding an Okta partner, see the Integrating Centrify Privileged Access Service and Okta documentation.

Adding a Microsoft Azure partner

For information on adding an Microsoft Azure partner, see the Integrating Centrify Privileged Access Service with Microsoft Azure Active Directory documentation.