If you are using Identity Service for single sign-on to SaaS applications, you use Cloud Manager to add SaaS and/or mobile applications and assign them to one or more roles. The users in those roles can then open the applications from the User portal and mobile devices.
Identity Service provides comprehensive, application-specific help for adding a wide variety of SaaS applications (see Centrify Application Configuration Help.) If you are adding an application that uses SAML, please see Creating a Custom SAML Application Profile for details.
Steps to Add an Application
1. Click the Apps tab
2. Click Add App
3. Type the name of the app that you want to add into the search box
4. Click the desired app (a check will appear)
5. Click Add App
6. Click User Access and select the Role(s) that you want to make the app available for
7. Click Application Help for specifics on configuring that app.
8. Click Save.
The Users page in Cloud Manager lists all of the user accounts in the Centrify Identity Platform. This includes all of the users you create in the Centrify user service and, if you are using Active Directory/LDAP for user authentication, the Active Directory/LDAP users who have logged in to the Centrify User Portal or enrolled devices.
The two account sources are:
- 1. Active Directory/LDAP: These users are authenticated using their Active Directory/LDAP accounts. The account’s Active Directory/LDAP domain is shown in the parenthesis. Any user with an Active Directory/LDAP account can log in to the Centrify user portal. Users need to login using their fill AD username or email address and password. However, to enroll a device, the user must be a member of a role that has Permit Device Enrollment Policy in the Device Enrollment settings set to Yes.
- 2. Cloud: The users with a Centrify user service account. You must create cloud accounts explicitly before these users can log in to the user portal or enroll a device. You can add cloud accounts individually or in bulk from a CSV file or Excel spreadsheet. Cloud-based users must be members of the “Everybody” role.
To perform device management, your role must have the Identity Platform Device Management administrative rights to view and manage devices. You use Cloud Manager to manage devices enrolled in the Centrify Identity Platform.
The Devices page in Cloud Manager will list the enrolled devices and provides you details about the device configuration, installed applications, and activity.
When you use the Centrify Identity Platform for mobile device management, it also performs the following actions:
- On Android devices, the mobile applications are added to the Apps screen in the Centrify application (see Installing Mobile Applications on Android Devices)
- On iOS devices, the user is prompted to install the mobile applications set for Automatic Install (see Installing Mobile Applications on iOS Devices)
Note: You can also install mobile device policies and mobile applications on enrolled devices. See Managing Device Configuration Policies and Adding and Deploying Mobile Applications Using Cloud Manager for the details.
See Supported Devices for the list of mobile devices that can be enrolled in the Identity Platform and their operating system requirements.
Enabling Users to Enroll Devices:
1. Open Cloud Manager, click Roles
2. Either create a new Role or select an existing role
3. Click Members and then Add
4. On the Add Members window:
- Enter the first few letters of the user, role, or Active Directory/LDAP account/group you want to add and click the search icon
- Select the relevant user, role, or Active Directory/LDAP account/group and click Add
5. Click Save to save the changes
6. Click Policies and either click Add Policy Set or select an existing policy
7. ExpandMobile Device Policies, and click Device Enrollment Settings
8. Select Yes for Permit Device Enrollment Policy
9. Configure the remainder of the policies
- See Device Enrollment Settings - Enabling Users to Enroll Devices for details
10. Click Save
11. Click Policy Settings
12. Click Apply Policy to Specified Roles and select the role you created or selected in Step 2
13. Click Save
The Centrify Identity Platform lets you accept an Integrated Windows Authentication (IWA) connection as sufficient authentication for users with Active Directory accounts when they login to Centrify Admin Portal or the Centrify User Portal.
Note: Integrated Windows Authentication is not available for Centrify Directory users, only Active Directory users.
For Integrated Windows Authentication to work:
1. Install a Centrify Connector inside your network.
Make sure you select the link "Download your IWA root CA certificate" and not the Download button above the link.
3. Install the IWA root CA certificate on the endpoint as a Trusted Root Certificate Authority. You can
4. Log into the Centrify portal with your custom login URL or default tenant URL:
- Centrify Admin Portal: (Ex. https://yourcompany.my.centrify.com/manage or https://AAA1234.my.centrify.com.manage)
- Centrify User Portal: (Ex. https://yourcompany.my.centrify.com/ or https://AAA1234.my.centrify.com)
Replace "yourcompany" with your custom name or default tenant ID.
Verify if the IWA root certificate is installed on the endpoint
1. Open a web browser on the endpoint machine
2. Navigate to the following address: https://<yourconnectorhostname>:<httpsport>/iwa/ping
Note: Replace <YourConnectorHostname> and <TheHttpsPortConfigured> with the corresponding values. For example: https://2008WindowsServer:8443/iwa/ping
3. Look for the green certificate vs red error box in the browser.
4. Make sure you deployed the IWA root CA certificate and not the Connector Host Certificate.
Verify policies are enabled to allow IWA
IWA is enabled by default, but check to make sure the setting has not been disabled.
1. In the Admin Portal, go to Core Services > Policies and select the policy set.
2. Under Policy Settings, expand User Security Policies, and select Login Authentication.
3. In the right pane scroll down to Other Settings
4. Make sure Allow IWA connections (bypasses login authentication rules and default profile) and Set Identity Cookie for IWA connections are both enabled. If you do not set this option, the cookie is not written in the browser after a successful IWA-based login.
5. Click Save
Verify the IWA service is enabled in your Centrify Connector Configuration
The IWA service is enabled by default, but check to make sure the setting has not been disabled.
1. In the Admin Portal, go to Settings > Network > Centrify Connectors.
2. Double-click on your Connector and go to IWA Service and make sure Enable Web Server is checked.
Make sure the browser is configured to allow IWA
Make sure there are no web servers on the Centrify Connector system
Even if there is no port conflict and the web server is using a different port than the connector, the certificate validation can fail.
For customers who want to integrate the Centrify Cloud with their on-premises Active Directory or LDAP directory for user authentication or to connect to their on-premises applications like SAP NetWeaver / SharePoint / etc. without the need for VPN, a Centrify supplied software program called the Centrify Cloud Connector needs to be installed inside their environment. The Centrify Cloud Connector is a simple Windows service that runs behind a customer’s firewall to provide real-time authentication, policy and access to user profiles without synchronizing data to the cloud.
The Cloud Connector seamlessly integrates with Active Directory or LDAP without opening extra ports in an organization’s firewall, or adding devices in their DMZ and acts as a gateway for access to on-premise applications without the need for VPN.
The Cloud Connector delivers the following security capabilities:
- For each tenant, a unique PKI Certificate is issued from the Centrify Cloud to the Cloud Connector during registration.
- All communications between the Centrify Cloud and the Centrify Cloud Connector are encrypted and mutually authenticated for each tenant using these unique certificates.
None of the traffic between the Centrify Cloud and the Cloud Connector can be read by the Azure infrastructure.
Installing the Centrify Cloud Connector
The Centrify Cloud Connector can be downloaded directly from the tenant. To integrate Active Directory into the Centrify Cloud, the Cloud Connector must be installed on a Domain joined Windows system. To integrate a LDAP directory into the Centrify Cloud Service, the Cloud Connector must be installed on a Windows system that is able to communicate with the LDAP directory.
Initial configuration of the Cloud Connector follows installation with the Cloud Connector Configuration Wizard, which launches automatically. For both, Active Directory and LDAP directories, the initial installation and configuration is the same. Please note, the additional configuration needed for LDAP directories is covered in the next section.
Here's a video on how to set-up the cloud connector or you could review the steps below:
Steps to Installing Centrify Cloud Connector:
1. Log on to the Centrify Cloud Manager at http://cloud.centrify.com/manage
2. Click on Settings
3. Click on Cloud Connectors
4. Click on Add Cloud Connector
5. Click on Download 64 bit to download the Cloud Connector application installer to your local hard drive
For integrating Active Directory with the Centrify Cloud Service, the Cloud Connector must be installed on a Domain joined Windows system.
For integrating LDAP directory with the Centrify Cloud Service, the Cloud Connector must be installed on a Windows system that can communicate with the LDAP directory.
6. Using Windows Explorer, locate the file downloaded and extract the content onto the System where you want to install the Cloud Connector
7. Double click the Cloud-Mgmt-Suite-xx.x-win64.exe installer
8. Click on Next
9. Check the “I accept the terms in the license agreement” and click on Next
9. Follow the wizard instructions and click on Install
10.Once the installer finishes, the Cloud Connector configuration dialog will open automatically
12. To start the configuration, click on Next
13. Enter your tenant administrative username and password
Your role must have the Register Cloud Connectors administrative right to download the Centrify Cloud Management Suite package and register the Cloud Connector
14. Optionally you can configure a web proxy for connection to the Centrify Cloud Service
15. Click on Next
16. The Cloud Connector will validate the configuration and test connection to the Centrify Cloud Service. Upon successful completion of the tests, the Cloud Connector will connect to the Cloud Service and start the Cloud Connector services
17. Click on Finish
18. Within the Centrify Admin Portal go to Settings > Cloud Connectors to confirm successful connection to your Cloud Connector
19. This is all the configuration needed to enable users to authenticate using their domain credentials against on-premise Active Directory
Enabling LDAP Directory Authentication
1. Within the Centrify Admin Console, go to Settings > Directory Services
2. Click on Add LDAP Directory
3. Fill out all the fields in the Add LDAP dialog and click on Test Connection
For example, a LDAP directory for the company centrifydemo.us with an admin user in a container for Users under the root, the configuration would be:
- Base DN: DC=centrifydemo,DC=us
- Bind DN: CN=admin,CN=Users, DC=centrifydemo,DC=us
This is just an example and the LDAP prefix depends on the LDAP server schema configuration.
4. Under Roles you can now select from which User Directory to add users to a Role for authentication and authorization. Go to Roles > double click on an existing Role (or add a new Role) > Members > Add Members
The first step in setting up Centrify Identity Service is to register and access your cloud tenant. The steps below will give you the instructions on how to proceed with this. If you have already registered your Cloud Tenant, you may skip this section.
1. Register here for your Cloud tenant
2. An email will be sent to the registered email address with a link to activate your Centrify.com account
3. After account activation is complete, the cloud tenant Customer ID and login credentials will be sent via a secondary email along with next steps
4. Login to the Centrify Cloud Manager portal at https://cloud.centrify.com/manage using the administrator account provided via the second email – you will be prompted to change your password during your first login
Hello and Welcome to Centrify Identity Service Technical Implementation Guide!
Centrify Identity Service offers an easy-to-deploy, cloud-based service that enables centralized and secure mobile device management using existing directory service infrastructure. It provides single sign-on to cloud, on-premise and mobile apps, as well as multi-factor authentication. Centrify uses cloud policy, or familiar Active Directory Group Policy, to manage devices and enforce app policies over a secure cloud connection. Centrify Identity Service enables single sign-on to cloud, mobile and custom apps, while enabling device-aware policy to meet IT security needs.
This guide will take you through the basic steps to set-up Centrify's Admin portal. If you have completed any of these steps, please skip that section and move on to the next step.
Click here to access our Centrify Identity Service Getting Started Guide. This is a companion document which should be used in conjunction with the Technical Implementation Guide.