You add the partner in Admin Portal to enable sharing on your end. You will need the group attribute values and IDP metadata from your partner to finish the configuration.
To create a partner
- Log in to Admin Portal.
- Click Settings, Users, Partner Management and Add.
- Enter a unique partner name.
- Ensure your SAML file includes the required elements.
SAML 2.0 is automatically selected because we currently only support this federation type.
The following attributes are consumed by federations with other Cloud customers.
userprincipalname is a mandatory attribute that needs to be configured in the IdP SAML configuration.
Additional attributes are supported and can be configured with the partner IdP SAML configuration. These can also be configured on the Service Provider side with the B2B application template.
Additional supported attributes:
Click Add associated with the Domain Name field to enter a unique domain name.
This domain name will be used as the login suffix for all partner users. It allows Centrify to recognize users as coming from a specific IDP and redirects them accordingly. For example, you may want to use the business partner company name (for example companyABC.com) as the domain name.
- Click Add to add the domain name to the table.
- Click Group Mappings > Add to create a mapping of the group attribute values to your groups.
For example, a group mapping for partner roles for other Centrify tenants, or federated groups.
The SAML attribute can be multi-valued and must be from the Identity Provider to Centrify.
- Enter the federated group into the Group Attribute Value column. This is your mapping name.
- Select an existing group in the Group Name column or enter a new name.
Once you save, a group will be created in Centrify with your group name. This group can then can be assigned to roles.
Note: You will see the group name when you assign a member to a role, and select only the Groups checkbox.
This step maps the federated groups (information you should have received from your partner) to your groups. See Assigning host groups to roles.
Click Custom Mappings > Add to create a custom mapping of the user attribute values.
This maps users with the specified attribute name and value to the selected group. Users mapped to groups are given the same admin rights as the group.
Click Inbound Metadata to configure IDP settings (using the IDP metadata you received from your partner) for this partner using one of the following options:
- Option 1: Upload the IDP configuration from URL. To use this option, paste the Identity Provider SAML Metadata URL provided by your partner.
- Option 2: Upload IDP configuration from a file. If your partner provided the Identity Provider SAML Metadata in an XML file, you can upload it here.
- Option 3: Manual Configuration. Manually enter the relevant information. This is not a recommended option.
Click Outbound Metadata to provide IDP configuration settings (using the IDP metadata to send to your federating partner) for your partners using one of the following options:
- Option 1: Service Provider Metadata URL. Copy this link and paste at the partner IdP SAML configuration.
- Option 2: Download Service Provider Metadata. Upload this file at the partner IdP SAML configuration.
- Option 3: Manual Configuration. Copy and paste this information at the partner IdP SAML configuration.
Click Authentication to configure mapping federated users to existing directory users.
By default, when a federated user logs in a new user is created in the Centrify Directory, even if a user already exists in a source directory (Centrify Directory, AD, LDAP, or Google) that has the same
username. This feature maps the authenticated user to an existing user (if possible) before creating a new Centrify Directory user. By default, assertions of the federated user are ignored in favor of the attributes of the mapped user.
(optional) Select Enable URL redirecting if you want incoming federated users to be redirected to the target URL (as defined by the RelayState).
If you enable URL redirecting, you can also limit redirection to a RelayState matching the URL pattern. If the field is empty, all URLs are allowed. The URL pattern is a wildcard pattern starting with
https://. For example,
Select Optional or Required in the Map federated user to existing directory user drop-down menu to enable the feature.
- Selecting Optional means authentication of a mapped federation user results in the user of the mapped directory service. If a user cannot be mapped, a new Federated user is created.
- Selecting Required means the user of a federation will authenticate as the matching user of another directory service. If no match is found, login is denied. If Create cloud user if unable to map is also enabled, a matched Centrify Directory user is created and login is permitted.
(Optional) Enter a federated user mapping attribute.
The default value is
UserPrincipalName, since it is a required assertion.The federated user mapping attribute must be in the SAML assertion and map to either the
Uuidsource directory attributes. If you change this value to an attribute that is not in the assertion and/or does not map to a unique attribute in a source directory, the mapping will fail.
Select a directory user mapping attribute; either Name or Uuid.
(Optional) Select a preferred directory service to search first for existing users.
After the preferred directory service, remaining directory services are searched according to their creation date.
- (Optional) Select Update cloud users with federated user attributes to update a mapped Centrify Directory user with the federated assertions.
Adding a Microsoft Azure partner
For information on adding an Microsoft Azure partner, see the Integrating with Microsoft Azure Active Directory documentation.
Adding an Okta partner
For information on adding an Okta partner, see the Integrating with Okta documentation.
Adding an Idaptive partner
For information on adding an Idaptive partner, see the Integrating with Idaptive tenants documentation.
Authenticate to servers for federated users
Since many customers use Okta as the main authentication directory, this example will use Okta to explain how to set up Centrify PAS and Centrify Client so that you can authenticate to servers managed by Centrify with your users.
- From the Admin Portal navigate to Resources > Systems.
- Right-click the system you want to use and click Enter Account. This will open a new window, enabling authentication into the system.
- Authenticate into the server using your login credentials. The logged in user is "local" to the server.
This manages the back channel between Centrify Client, PAS and the server, and therefore requires you to update your Admin Portal settings with your server information.
- Retrieve the relevant information from Okta.
- Set up an App in Okta.
Note: The app must be a "Native App" that uses OpenID Connect as the Sign-On Method.
The Native App will generate the following:
- Client ID
- Client secret
- Token URL - This is the default Authorization Server. For Okta, you can find this in the Okta Developer Console for your tenant under API / Authorization Servers > Metadata URI. The Token URL is listed under the token_endpoint variable.
Save this information, as you will need to use them in the Admin Portal.
- Ensure a default Scope is set up in the Scopes tab for your Authorization Server.
- Set up an App in Okta.
- Return to the Admin Portal and navigate to Settings > Users > Partner Management.
- Click Add to add a new partner.
- On the Settings tab, Set the Federation Type, Signature Type, and Federation Domains.
- Click the Authentication tab and enter the Client ID and Secret you copied from your server and fill in the Token URL.