Setting up Security Assertion Markup Language (SAML)

To integrate Privileged Access Service and Microsoft Azure Active Directory, review and perform the following steps:

  1. Open a browser tab or window to a Centrify PAS and navigate to Settings > Users > Partner Management and click Add.
  1. On the main Settings tab, enter values in the following fields:

  • Partner Name Azure.
  • Federation Type SAML 2.0.
  • Under Federation Domains, click Add, enter the domain for users and click Add again.

Note:   You are about to pivot to the Microsoft Azure Active Directory. Do not close this window as you will return back to it to conclude set up.

  1. Open another browser to log into Microsoft Azure Active Directory (https://portal.azure.com) as an administrator to setup a new enterprise application that will federate with Centrify. Once you are in the main console click the Azure Active Directory service in the left-hand menu.

  1. Click on New application and make sure it is a Non-gallery application.

  1. Name the application and Add.

  1. Select the SAML single sign-on method.

Note:   This is a good time to bring back up the Centrify Partner add page you still have open.

  1. In the Partner Management window, select the Outbound Metadata tab and choose Option 2: Download Service Provider Metadata. Save the file to downloads or another location of choice.

  1. Edit the FederationMetadata.xml file by inserting the following line between </KeyDescriptor> and <SingleLogoutService> : <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/>, as seen below:

  1. Save the file.
  2. Go back to the Microsoft Azure Active Directory page, click Upload metadata file and upload the file you just downloaded and saved.

  1. In the SAML Signing Certificate section, copy the value for App Federation Metadata Url.

  1. In the Partner Management window, Inbound Metadata tab, under the field for Option 1: Upload configuration from URL paste the value you copied above and click Save.

  1. Automatically fill the username in Access Directory when performing an SP-initiated logon from Centrify PAS (to avoid having to type the username twice: once in Centrify PAS and once in Access Directory). In the Partner Management window, at the Inbound Metadata tab, in the field for Identity Provider Login URL append /?login_hint=[username] to the URL value the and click Save.
  1. Navigate back to Azure, under the SAML configuration for the Centrify application and Add a new claim:

  • Name: userprincipalname.
  • Source Attribute: user.userprincipalname.

and Add a group claim:

The group claim name must contain the word "group":

Lastly, save the configuration.

  1. Create a new Azure AD group and note the ObjectId:

Ensure you are a member of this new Azure AD group:

  1. Navigate back to the Centrify PAS tenant. Navigate to Partner Management and add the group mapping using the ObjectId as the Group Attribute Value and a Group Name of your choice:

  1. In Centrify PAS, add the Group Name to System Administrator. Navigate to navigate to Access > Roles and choose system administrator:

Click Members and add the group name you just added:

  1. Save the configuration.