Authenticating SAML

If you have Okta configured to use AD as the source directory whereby Privileged Access Service can see the same directory through the connector, choose from the following:

  • Set up groups in Okta, add AD groups as members, and set up group mapping in the SAML partnership.
  • Do not create groups in Okta, but configure Centrify PAS to look up the user in AD/LDAP and then use the directory groups for permission/rights within Centrify PAS. Instead, try one of the follwing:
    • Force the lookup. If the user is not found, reject the login.
    • Try the the lookup and use the groups (if present), but do not reject the login.
  • Add groups from Okta into roles to grant permissions/rights within Centrify PAS.

Note:   To customize the login session timeout value for user accounts federated from Okta to Centrify PAS, contact Centrify Support. This value is the duration for the user's login session. A suggested timeout value might be 4 hours, 8 hours, etc.