In Part I of this blog, I described why customers want to use federation to authenticate to the Centrify Privilege Service. The business benefit is that you can control authentication within your enterprise single sign-on provider and then control authorization on the Centrify platform. Customers can also implement attribute-based authorization where they can pass a “Group” attribute in the SAML token to Centrify, and Centrify will automatically map it to a Centrify Role, thereby enforcing the authorization rules that are subject to that role. We can cover that concept at a later time but in this blog, I want to show you how simple it is to set up basic B2B Federation from Microsoft Azure to Centrify so that users can authenticate in Azure and then federate over to Centrify to manage their resources.
Let's get started.
Step 1: Login to your Centrify tenant, go to the administration console, and then go to the Centrify partner management settings and add a new partner by pressing the “Add” button as shown below.
Step 2: The Partner Management Window will have several fields and sections you need to complete. Keep this window (below) open for now because we’re going to come back to it.
Step 3: Open another browser to login to Microsoft Azure as an administrator to setup a new enterprise application that will federate with Centrify. Once you are in the main console click on the Azure Active Directory Service in the left-hand menu.
Step 4: Now click on “New Application” as shown below.
Step 5: Select a Non-Gallery Application
Step 6: Give the application a name and press the Add button
Step 7: Now in the new Application’s menu, click on Single sign-on to configure SAML Single sign on.
Step 8: Select SAML as the single sign-on method.
Step 9: Now you can configure the application. For this part, it helps to have the Centrify partner management window (from Step 2) open at the same time as the MSFT Application configuration window. Give the partnership a name in Centrify Partner Management. Then add the Azure federated domain so Centrify knows to send you to Azure to authenticate.
Step 10: Skip the group mapping in the Centrify Partner Management screen and click on inbound metadata. Upload the Azure IDP configuration from URL by copying and pasting into the Centrify Partner Management Screen. Click Save when done.
Step 11: Next, go to the outbound metadata section in Centrify Partner Management and download the metadata file. Then Upload that metadata file into the MSFT Azure application configuration using the link below.
Step 12: On the Microsoft Azure administration page for your new application, you need to ensure that the application passes in a userprincipalname attribute to the Centrify Service Provider to ensure that the federated login is accepted. Create a new SAML token attribute to called userprincipalname by clicking on “Add attribute” as shown below.
Ensure the Name is exactly “userprincipalname”, the Value is exactly “user.userprincipalname” and leave the namespace blank.
Step 13: Once you save this attribute it will look like the below. Now, the application should be configured and ready for testing. The attribute we just setup will pass the UPN of the Microsoft Azure AD user to the Centrify Service Provider. Centrify will create a record of this user and place him/her in the Federated Users group. From here, the Centrify Privilege Service Administrators can control the authorization that this account will have within the Centrify platform by moving it to specific roles.
That’s it. If everything is working properly, the user login flow will be the same as what was shown in the first part of this blog. Remember to use fiddler or a SAML tracer to ensure you are passing the userprincipalname attribute to Centrify.
Once the user has federated to the Centrify portal, he will be able to manage the administrative components of the Centrify Privilege service or the Centrify Endpoint Management service by switching to the admin portal, or use web single sign-on like a regular end user.
If the federation is successful the user will land on the Centrify Apps homepage below.
An Administrator can “Switch to the Admin Portal” by clicking the dropdown on his username.
Depending on the Centrify Role the user is placed in, he will see the appropriate access to vaulted Systems, Secrets, and Accounts in the Centrify Privilege Service.
The key takeaway here is that the user is being authenticated in Microsoft Azure so the organization does not need to manage another credential to provide granular access to the Centrify Privilege service.
I hope you found this blog useful. If you need to review the first part of this blog it is located here.