Adding a partner

You add the partner in Admin Portal to enable sharing on your end. You will need the group attribute values and IDP metadata from your partner to finish the configuration.

To create a partner

  1. Log in to Admin Portal.
  2. Click Settings, Users, Partner Management and Add.

  3. Enter a unique partner name.
  4. Ensure your SAML file includes the required elements.

    SAML 2.0 is automatically selected because we currently only support this federation type.

    The following attributes are consumed by federations with other Cloud customers.

    userprincipalname is a mandatory attribute that needs to be configured in the IdP SAML configuration.

    Additional attributes are supported and can be configured with the partner IdP SAML configuration. These can also be configured on the Service Provider side with the B2B application template.

    Mandatory attribute:

    userprincipalname (mandatory)

    Additional supported attributes:

    • DisplayName
    • Description
    • Email
    • Group
    • HomeNumber
    • LoginName
    • MobileNumber
    • OfficeNumber

    For example:

    setAttribute("userprincipalname", LoginUser.Get("userprincipalname"));

  5. Click Add associated with the Domain Name field to enter a unique domain name.

    This domain name will be used as the login suffix for all partner users. It allows Centrify to recognize users as coming from a specific IDP and redirects them accordingly. For example, you may want to use the business partner company name (for example companyABC.com) as the domain name.

  6. Click Add to add the domain name to the table.
  7. Click Group Mappings, Add to create a mapping of the group attribute values (i.e. partner roles for other Centrify tenants, or groups for partners using ADFS) to your groups.
  8. Enter the partner role or ADFS group (ADFS federation) into the Group Attribute Value column, then either select an existing group in the Group Name column or enter a new name.

    You do this to map the partner roles/ADFS groups (information you should have received from your partner) to your groups. Each group needs to be a member of at least one role in your tenant. See Assigning host groups to roles.

  9. Click Inbound Metadata to configure IDP settings (using the IDP metadata you received from your partner) for this partner using one of the following options:

    • Option 1: Upload the IDP configuration from URL. To use this option, paste the Identity Provider SAML Metadata URL provided by your partner.
    • Option 2: Upload IDP configuration from a file. If your partner provided the Identity Provider SAML Metadata in an XML file, you can upload it here.
    • Option 3: Manual Configuration. Manually enter the relevant information. This is not a recommended option.
  10. Click Outbound Metadata to provide IDP configuration settings (using the IDP metadata to send to your federating partner) for your partners using one of the following options:

    • Option 1: Service Provider Metadata URL. Copy this link and paste at the partner IdP SAML configuration.
    • Option 2: Download Service Provider Metadata. Upload this file at the partner IdP SAML configuration.
    • Option 3: Manual Configuration. Copy and paste this information at the partner IdP SAML configuration.
  11. Click Device OS to select which mobile device operating systems the federation applies to.

    To enforce Centrify MFA for users on selected device types, Map federated user to existing directory user must be set to Required.

    You can choose Any Device (the default selection), or select from the following:

    • Android
    • iOS
    • All Others

    To avoid iPadOS devices from bypassing the mobile device detection and IdP routing, inform your iPadOS device users to do the following:

    • Verify that their browser is requesting the mobile site from any SP URLs.

      For example, to configure Safari to request mobile sites by default: In iPad settings, navigate to Safari Settings > Request Desktop Website and then turn off the All Websites setting.

    • Use the Native app of the target application or use the Centrify application to launch the app.

Adding an Idaptive partner

For information on adding an Idaptive partner, see the Integrating Centrify Privileged Access Service and Idaptive tenants documentation.

Adding an Okta partner

For information on adding an Okta partner, see the Integrating Centrify Privileged Access Service and Okta documentation.

Adding a Microsoft Azure partner

For information on adding an Microsoft Azure partner, see the Integrating Centrify Privileged Access Service with Microsoft Azure Active Directory documentation.