Setting up Security Assertion Markup Language (SAML)
To integrate Centrify Privileged Access Service and Microsoft Azure Active Directory, review and perform the following steps:
- Open a browser tab or window to a Centrify PAS and navigate to Settings > Users > Partner Management and click Add.
- On the main Settings tab, enter values in the following fields:
- Partner Name Azure.
- Federation Type SAML 2.0.
- Under Federation Domains, click Add, enter the domain for users and click Add again.
Note: You are about to pivot to the Microsoft Azure Active Directory. Do not close this window as you will return back to it to conclude set up.
- Open another browser to log into Microsoft Azure Active Directory (https://portal.azure.com) as an administrator to setup a new enterprise application that will federate with Centrify. Once you are in the main console click the Azure Active Directory service in the left-hand menu.
- Click on New application and make sure it is a Non-gallery application.
- Name the application and Add.
- Select the SAML single sign-on method.
Note: This is a good time to bring back up the Centrify Partner add page you still have open.
- In the Partner Management window, select the Outbound Metadata tab and choose Option 2: Download Service Provider Metadata. Save the file to downloads or another location of choice.
- Edit the FederationMetadata.xml file by inserting the following line between </KeyDescriptor> and <SingleLogoutService> : <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>, as seen below:
- Save the file.
- Go back to the Microsoft Azure Active Directory page, click Upload metadata file and upload the file you just downloaded and saved.
- In the SAML Signing Certificate section, copy the value for App Federation Metadata Url.
- In the Partner Management window, Inbound Metadata tab, under the field for Option 1: Upload configuration from URL paste the value you copied above and click Save.
- Automatically fill the username in Access Directory when performing an SP-initiated logon from Centrify PAS (to avoid having to type the username twice: once in Centrify PAS and once in Access Directory). In the Partner Management window, at the Inbound Metadata tab, in the field for Identity Provider Login URL append /?login_hint=[username] to the URL value the and click Save.
- Navigate back to Azure, under the SAML configuration for the Centrify application and Add a new claim:
- Name: userprincipalname.
- Source Attribute: user.userprincipalname.
and Add a group claim:
The group claim name must contain the word "group":
Lastly, save the configuration.
- Create a new Azure AD group and note the ObjectId:
Ensure you are a member of this new Azure AD group:
- Navigate back to the Centrify PAS tenant. Navigate to Partner Management and add the group mapping using the ObjectId as the Group Attribute Value and a Group Name of your choice:
- In Centrify PAS, add the Group Name to System Administrator. Navigate to navigate to Access > Roles and choose system administrator:
Click Members and add the group name you just added:
- Save the configuration.