Setting up Security Assertion Markup Language (SAML)

Configuring Centrify Privileged Access Service SAML

To configure Centrify for SAML, perform the following steps:

  1. Open a browser tab or window to a Centrify PAS and navigate to Settings > Users > Partner Management and click Add.
  1. On the main Settings tab, enter values in the following fields:

  • Partner Name Okta.
  • Federation Type SAML 2.0.
  • Under Federation Domains, click Add, enter the domain for users and click Add again.
  1. Select Inbound Metadata, provide a dummy IDP for now and do not save.

  1. Select the Outbound Metadata tab and choose Option 2: Download Service Provider Metadata.

  1. Click on Download Metadata and open the downloaded XML file in a text editor.

Note:   This file will be used below, when you configure Okta SAML.

  • Search for the XML tag EntityDescriptor and note the value of the entityID parameter.
  • Search for the XML tag AssertionConsumerService, and note the value of the Location parameter.

Note:   Do not click Save, continue with remaining configuration steps as detailed below.

Configuring Okta SAML

To configure Okta SAML, perform the following steps:

  1. Open a new browser tab or window and navigate to the Okta dashboard. Navigate to Directory > Groups.
  2. Add groups to use for granting rights within Centrify PAS.
  3. Select the Applications tab, click Add Application and click Create New App, as seen below.

  • Choose Web application, select SAML 2.0, and click Create.
  • Enter the App name Centrify Privilege Access Service.
  • Upload the Centrify logo.
  1. Going back to the Centrify PAS instance, copy the highlighed values:

  1. Click Save.

• Enter the Single sign on URL as the Centrify PAS tenant URL. For example, https://<tenantid>.my.centrify.net/home.

• Check the box for "Use this for Recipient URL and Destination URL."

Note:   Do not check the box for "Allow this app to request other SSO URLs."

  1. Using the entityID value from the downloaded XML file, enter Audience URI. For example, CN=Centrify:Customer:<tenant_id>.
  2. Click Show Advanced Settings.
  • Change Honor Force Authentication to Yes.
  • In the Attribute Statements section, enter the following name-value pair:
    • Name=UserPrincipalName
    • Value set to user.email.
  • In the Group Attribute Statement section, enter the following name-value pair:
    • Name=Group
    • Filter Starts With Centrify or name of Groups created in the first step
  1. Click Next. Select the desired options for the support questions. Click Finish.
  2. Select the Centrify application, then select the Sign On tab.
  3. Click the Edit button. Set the Application username format to Email.
  4. Click the Save button.
  5. Right-click Identity Provider metadata link and save the XML file containing the Okta certificate.

  1. Click the Assignments tab.
  2. Grant user and group rights to access/use the Centrify PAS application.

  1. Make sure the users are also a member of one of the Okta Groups for permissions within Centrify PAS.

Confirming Centrify SAML configuration

To confirm Centrify SAML configuration, perform the following steps:

  1. Return to the Centrify PAS tenant browser, where you left off with Configuring Centrify Privileged Access Service SAML.
  2. Select Inbound Metadata tab, click Option 2: Upload IDP Configuration from a file. Select the Okta certificate file downloaded above and click Save.
  3. Upload the XML file containing the Okta certificate..
  4. Select the Group Mappings tab.
  5. Map the Okta group names to a group name for the IDP.
  6. Click Save.