The following are frequently asked questions and information about specific features that are not applicable to all organizations.
- What identity connectors do I deploy?
- What other connectors do I deploy?
- What brand experience should I expect at sign-in?
- Who has access to Centrify Privileged Access Services?
- Where do I define roles and rights for Centrify Privileged Access Services operations?
- Where do I define roles and rights for application and provisions?
- A user's phone number changed, where do I update it?
- Where do I define the MFA policy for user sign in?
For identity bridging, deploy both Idaptive and Centrify connectors as appropriate for your identity store (LDAP/AD). These can be run on the same machine, though you may use separate resources as redundancy and load dictate.
Whatever is necessary for your functional requirements. For instance, for utilizing Application Gateway access through Idaptive, you should deploy Idaptive connectors as necessary. For enabling remote RDP and/or SSH access to a vaulted server, deploy Centrify connectors as necessary. Each brand connector should be registered to the same brand tenant.
Idaptive. If you start off with a bookmark to the Centrify Privileged Access Services portal, you will first enter your username at a Centrify-branded experience. You will then be redirected to Idaptive for authentication. Once authentication is complete, you are returned to the Centrify portal experience.
For launch to the Privileged Access Services portal from the application in the Idaptive portal, you should use Idaptive's application access policy and permissions to define the users who can launch and log into the Centrify Privileged Access Services portal. You must still manage access within the Privileged Access Services portal for systems and direct login to the Privileged Access Services portal.
In the Centrify Privileged Access Services portal.
In the Idaptive management portal.
As you normally would for AD/LDAP or Google users. For cloud users, update properties in the Idaptive tenant --it will sync to Centrify Privileged Access Services the next time they sign in.
In the Idaptive tenant- you should define both a policy for sign-in to the Idaptive user portal, as well as step-up MFA (if desired) on launch of Centrify Privileged Access Services. The Privileged Access Service portal can also define MFA for login, which would be in addition to any MFA policies required by Idaptive.
Where do I define the MFA policy for a vaulted password checkout?
In the Centrify tenant.
Where do the CSS and Centrify Cloud Agents get their MFA policy?
The Centrify policy.
Where do the Idaptive Windows and MAC Agents get their MFA policy?
The Idaptive policy.
Which mobile application do I need?
Either or both depending on the desired functionality. The Centrify mobile app will facilitate server and account access (break glass) and can be used as the mobile authenticator for Centrify Privileged Access Services. The Idaptive mobile application provides MDM functionality, application launch functionality, and mobile authenticator for the Idaptive tenant.