Integrating Centrify and Idaptive tenants

The Centrify and Idaptive tenant integration requires that both SAML federation and OAuth2 password grant are set up between the Idaptive and Centrify tenants.

  • SAML federation is required for Idaptive users to access the Centrify portal.
  • OAuth2 password grant for agent and step-up authentications for Idaptive users in Centrify portal and agents.

Setting up the Idaptive tenant

The Idaptive tenant is set up by performing two main tasks:

  • SAML Federation Setup

  • OAuth2 Setup

Setting up SAML Federation

To set up SAML federation, perform the following steps:

  1. Establish a business-to-business federation setup to the Centrify tenant (the federation tenant) by creating a business-to-business application. Refer to the steps in Custom SAML applications to do this.
  2. For the SAML response script, choose from one of the following ways to map by using either:

    • attribute mapping or
    • custom mapping script

    Attribute mapping

    Enter a value for each of the following attributes:

    Attribute name Attribute value
    UserPrincipalName LoginUser.Username
    UUID LoginUser.Uuid
    DisplayName LoginUser.DisplayName
    Email LoginUser.Email
    MobileNumber LoginUser.MobileNumber
    Group LoginUser.RoleNames

    Custom mapping script

    Run the following custom mapping script:

    /* Centrify Federation */

    setAttribute("UserPrincipalName", LoginUser.Username);

    setAttribute("UUID", LoginUser.Uuid);

    setAttribute("DisplayName", LoginUser.DisplayName);

    setAttribute("Email", LoginUser.Email);

    setAttribute("MobileNumber", LoginUser.MobileNumber);

    setAttributeArray("Group", LoginUser.RoleNames);

Setting up OAuth2

To set up OAuth2, perform the following steps:

  1. Set up the Idaptive as an OAuth2 server by performing the steps in Custom OAuth2 Server.
  2. Under the Settings tab, ensure the following fields have the values listed:
  • Application ID: CentrifyFederation.

  • Name: Centrify Federation OAuth2 Server.

  1. Under the General Usage tab, ensure the following fields have the values listed:
  • Client ID Type: Confidential.
  • Enable Must be OAuth Client.
  1. Under the Tokens tab, ensure the following field has the value listed:
  • Auth Methods: Resource Owner.
  1. No scopes are needed.
  2. Create the associated confidential client (the Cloud user). Note the client name and secret (password) for Centrify setup.

Setting up the Centrify tenant

The following show you how to set up a partner with the Idaptive tenant.

  1. Set up a partner federation. Refer to the steps in How to set up business partner federation to do this.
  2. Under Settings tab, ensure the following fields have the values listed:

  • Partner name: Idaptive.

  • Add the domains of the Idaptive users as Federated Domains.

  1. Under the Authentication tab, ensure the following fields have the values listed:

  • User "Required" mapping of federated users.
  • UserPrincipalName mapping attribute.
  • By Name mapping.
  • Set OAuth2 URL to: https://<IdT id>.my.idaptive.app/Token/CentrifyFederation.
  • Set OAuth2 client name to client name used in the Idaptive tenant OAuth2 setup.
  • Set OAuth2 client secret to client secret (password) used in the Idaptive tenant OAuth2 setup.
  • Enable Update cloud users with Federated user attributes.
  • Enable Add mapped users to federated groups.
  • Enable Create cloud users when mapping not found.