The following are frequently asked questions and information about specific features that are not applicable to all organizations.
- What identity connectors do I deploy?
- What other connectors do I deploy?
- What brand experience should I expect at sign-in?
- Who has access to Privileged Access Service?
- Where do I define roles and rights for Privileged Access Service operations?
- Where do I define roles and rights for application and provisions?
- A user's phone number changed, where do I update it?
- Where do I define the MFA policy for user sign in?
For identity bridging, deploy both Idaptive and Centrify Connectors as appropriate for your identity store (LDAP/AD). These can be run on the same machine, though you may use separate resources as redundancy and load dictate.
Whatever is necessary for your functional requirements. For instance, for utilizing Application Gateway access through Idaptive, you should deploy Idaptive connectors as necessary. For enabling remote RDP and/or SSH access to a vaulted server, deploy Centrify Connectors as necessary. Each brand connector should be registered to the same brand tenant.
Idaptive. If you start off with a bookmark to the Admin Portal, you will first enter your username at a Centrify-branded experience. You will then be redirected to Idaptive for authentication. Once authentication is complete, you are returned to the Admin Portal experience.
For launch to the Privileged Access Service portal from the application in the Idaptive portal, you should use Idaptive's application access policy and permissions to define the users who can launch and log into the Privileged Access Service portal. You must still manage access within the Admin Portal for systems and direct login to the Privileged Access Service portal.
In the Privileged Access Service Admin Portal.
In the Idaptive management portal.
As you normally would for AD/LDAP or Google users. For cloud users, update properties in the Idaptive tenant --it will sync to Privileged Access Service the next time they sign in.
In the Idaptive tenant- you should define both a policy for sign-in to the Idaptive user portal, as well as step-up MFA (if desired) on launch of Privileged Access Service. The Admin Portal can also define MFA for login, which would be in addition to any MFA policies required by Idaptive.
Where do I define the MFA policy for a vaulted password checkout?
In the Admin Portal.
Where do the Server Suite Agents and Centrify Clients get their MFA policy?
The Centrify policy.
Where do the Idaptive Windows and MAC Agents get their MFA policy?
The Idaptive policy.
Which mobile application do I need?
Either or both depending on the desired functionality. The Centrify mobile app will facilitate server and account access (break glass) and can be used as the mobile authenticator for Privileged Access Service. The Idaptive mobile application provides MDM functionality, application launch functionality, and mobile authenticator for the Idaptive tenant.