Add a partner

You add the partner in Admin Portal to enable sharing on your end. You will need the group attribute values and IDP metadata from your partner to finish the configuration.

To create a partner

  1. Log in to Admin Portal.
  2. Click Settings, Users, Partner Management and Add.

  3. Enter a unique partner name.
  4. Ensure your SAML file includes the required elements.

    SAML 2.0 is automatically selected because we currently only support this federation type.

    The following attributes are consumed by federations with other Cloud customers.

    userprincipalname is a mandatory attribute that needs to be configured in the IdP SAML configuration.

    Additional attributes are supported and can be configured with the partner IdP SAML configuration. These can also be configured on the Service Provider side with the B2B application template.

    Mandatory attribute:

    userprincipalname (mandatory)

    Additional supported attributes:

    • DisplayName
    • Description
    • Email
    • Group
    • HomeNumber
    • LoginName
    • MobileNumber
    • OfficeNumber

    For example:

    setAttribute("userprincipalname", LoginUser.Get("userprincipalname"));

  5. Click Add associated with the Domain Name field to enter a unique domain name.

    This domain name will be used as the login suffix for all partner users. It allows Centrify to recognize users as coming from a specific IDP and redirects them accordingly. For example, you may want to use the business partner company name (for example as the domain name.

  6. Click Add to add the domain name to the table.
  7. Click Group Mappings > Add to create a mapping of the group attribute values to your groups.

    For example, a group mapping for partner roles for other Centrify tenants, or federated groups.

    The SAML attribute can be multi-valued and must be from the Identity Provider to Centrify.

  8. Enter the federated group into the Group Attribute Value column. This is your mapping name.
  9. Select an existing group in the Group Name column or enter a new name.

    Once you save, a group will be created in Centrify with your group name. This group can then can be assigned to roles.

    Note:   You will see the group name when you assign a member to a role, and select only the Groups checkbox.

    This step maps the federated groups (information you should have received from your partner) to your groups. See Assigning host groups to roles.

  10. Click Custom Mappings > Add to create a custom mapping of the user attribute values.

    This maps users with the specified attribute name and value to the selected group. Users mapped to groups are given the same admin rights as the group.

  11. Click Inbound Metadata to configure IDP settings (using the IDP metadata you received from your partner) for this partner using one of the following options:

    • Option 1: Upload the IDP configuration from URL. To use this option, paste the Identity Provider SAML Metadata URL provided by your partner.
    • Option 2: Upload IDP configuration from a file. If your partner provided the Identity Provider SAML Metadata in an XML file, you can upload it here.
    • Option 3: Manual Configuration. Manually enter the relevant information. This is not a recommended option.
  12. Click Outbound Metadata to provide IDP configuration settings (using the IDP metadata to send to your federating partner) for your partners using one of the following options:

    • Option 1: Service Provider Metadata URL. Copy this link and paste at the partner IdP SAML configuration.
    • Option 2: Download Service Provider Metadata. Upload this file at the partner IdP SAML configuration.
    • Option 3: Manual Configuration. Copy and paste this information at the partner IdP SAML configuration.

Adding a Microsoft Azure partner

For information on adding an Microsoft Azure partner, see the Integrating with Microsoft Azure Active Directory documentation.

Adding an Okta partner

For information on adding an Okta partner, see the Integrating with Okta documentation.

Adding an Idaptive partner

For information on adding an Idaptive partner, see the Integrating with Idaptive tenants documentation.

Authenticate to servers for federated users

Since many customers use Okta as the main authentication directory, this example will use Okta to explain how to set up Centrify PAS and Centrify Client so that you can authenticate to servers managed by Centrify with your users.

  1. From the Admin Portal navigate to Resources > Systems.
  2. Right-click the system you want to use and click Enter Account. This will open a new window, enabling authentication into the system.
  3. Authenticate into the server using your login credentials. The logged in user is "local" to the server.

    This manages the back channel between Centrify Client, PAS and the server, and therefore requires you to update your Admin Portal settings with your server information.

  4. Retrieve the relevant information from Okta.
    1. Set up an App in Okta.

      Note:   The app must be a "Native App" that uses OpenID Connect as the Sign-On Method.

      The Native App will generate the following:

      • Client ID
      • Client secret
      • Token URL - This is the default Authorization Server. For Okta, you can find this in the Okta Developer Console for your tenant under API / Authorization ServersMetadata URI. The Token URL is listed under the token_endpoint variable.

      Save this information, as you will need to use them in the Admin Portal.

    2. Ensure a default Scope is set up in the Scopes tab for your Authorization Server.
  5. Return to the Admin Portal and navigate to Settings > Users > Partner Management.
  6. Click Add to add a new partner.
  7. On the Settings tab, Set the Federation Type, Signature Type, and Federation Domains.
  8. Click the Authentication tab and enter the Client ID and Secret you copied from your server and fill in the Token URL.