[How To] Configure B2B Federation from Azure AD to Centrify Privilege Service

[How To] Configure B2B Federation from Azure AD to Centrify Privilege Service

By Centrify Contributor II 2 weeks ago - last edited 2 weeks ago

In Part I of this blog, I described why customers want to use federation to authenticate to the Centrify Privilege Service. The business benefit is that you can control authentication within your enterprise single sign-on provider and then control authorization on the Centrify platform. Customers can also implement attribute-based authorization where they can pass a “Group” attribute in the SAML token to Centrify, and Centrify will automatically map it to a Centrify Role, thereby enforcing the authorization rules that are subject to that role. We can cover that concept at a later time but in this blog, I want to show you how simple it is to set up basic B2B Federation from Microsoft Azure to Centrify so that users can authenticate in Azure and then federate over to Centrify to manage their resources.

 

Let's get started.

 

Step 1: Login to your Centrify tenant, go to the administration console, and then go to the Centrify partner management settings and add a new partner by pressing the “Add” button as shown below.

partner_mgmt.png

 

Step 2: The Partner Management Window will have several fields and sections you need to complete. Keep this window (below) open for now because we’re going to come back to it.

 partner management.png

 

 

Step 3: Open another browser to login to Microsoft Azure as an administrator to setup a new enterprise application that will federate with Centrify. Once you are in the main console click on the Azure Active Directory Service in the left-hand menu.

 

azure_overview.png

 

Step 4: Now click on “New Application” as shown below.

 

enterprise_apphome.png

 

 

Step 5: Select a Non-Gallery Application

add_an_app.png

 

Step 6: Give the application a name and press the Add button

Add_App.png

 

Step 7: Now in the new Application’s menu, click on Single sign-on to configure SAML Single sign on.

app_overview.png

 

 

 

Step 8: Select SAML as the single sign-on method.

 

enterprise_app_saml.png

 

 

 

 

Step 9: Now you can configure the application. For this part, it helps to have the Centrify partner management window (from Step 2) open at the same time as the MSFT Application configuration window. Give the partnership a name in Centrify Partner Management. Then add the Azure federated domain so Centrify knows to send you to Azure to authenticate.

addfederationdomain.png

 

 

 

 

Step 10: Skip the group mapping in the Centrify Partner Management screen and click on inbound metadata. Upload the Azure IDP configuration from URL by copying and pasting into the Centrify Partner Management Screen. Click Save when done.

uploadIDPmetadata.png

 

 

 

 

Step 11: Next, go to the outbound metadata section in Centrify Partner Management and download the metadata file. Then Upload that metadata file into the MSFT Azure application configuration using the link below.

sp_metadata.png

 

 

 

Step 12: On the Microsoft Azure administration page for your new application, you need to ensure that the application passes in a userprincipalname attribute to the Centrify Service Provider to ensure that the federated login is accepted. Create a new SAML token attribute to called userprincipalname by clicking on “Add attribute” as shown below.

add attribute.png

 

 

Ensure the Name is exactly “userprincipalname”, the Value is exactly “user.userprincipalname” and leave the namespace blank.

 

add attribute details.png

 

 

 

Step 13: Once you save this attribute it will look like the below. Now, the application should be configured and ready for testing. The attribute we just setup will pass the UPN of the Microsoft Azure AD user to the Centrify Service Provider. Centrify will create a record of this user and place him/her in the Federated Users group. From here, the Centrify Privilege Service Administrators can control the authorization that this account will have within the Centrify platform by moving it to specific roles.

SAML token attributes.png

 

 

 

That’s it. If everything is working properly, the user login flow will be the same as what was shown in the first part of this blog. Remember to use fiddler or a SAML tracer to ensure you are passing the userprincipalname attribute to Centrify.

 

Once the user has federated to the Centrify portal, he will be able to manage the administrative components of the Centrify Privilege service or the Centrify Endpoint Management service by switching to the admin portal, or use web single sign-on like a regular end user.

 

If the federation is successful the user will land on the Centrify Apps homepage below.

centrify homepage.png

 

An Administrator can “Switch to the Admin Portal” by clicking the dropdown on his username.

switch to admin portal.png

 

Depending on the Centrify Role the user is placed in, he will see the appropriate access to vaulted Systems, Secrets, and Accounts in the Centrify Privilege Service.

login_worked.png

 

 

 

The key takeaway here is that the user is being authenticated in Microsoft Azure so the organization does not need to manage another credential to provide granular access to the Centrify Privilege service.

 

I hope you found this blog useful. If you need to review the first part of this blog it is located here.

 

 

 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel