Tenant Migration & Split FAQ for joint customers of Centrify and Idaptive
This article describes the overall process of splitting Idaptive and Centrify tenants as well as Customer actions which should occur at various stages of the move. A split tenant is defined as a joint customer of Idaptive and Centrify currently deployed as a single tenant in the Centrify production cloud service.
Please refer to article KB-17161: Preparing for the Tenant URL Change to centrify.net for information about the change to your Centrify URL.
For FAQ specific to Centrify tenants regarding the tenant split project, please refer to article KB-20123: Tenant URL change FAQ for Centrify Customers
The document is organized by impacted functional component. If not listed, the expectation is the functionality is not impacted.
- Why are Idaptive and Centrify performing these changes?
- What is changing?
- Will the tenant URL change?
- Will there be an impact on connectors?
- Will there be an impact to end-users?
- Will there be an impact to the Windows agent (DZWin) and ZSO?
- Will there be an impact to existing applications?
- Will there be any impact to custom reports?
- Will there be any impact on mobile devices?
- Will there be any impact on MFA push notifications?
- Will there be any impact to Managed Service Provider (MSP) tenants or child tenants (SMB)?
- Will there be any impact to Analytics?
- Will there be any impact to RADIUS authentication?
- Will there be any impact to the SIEM integration?
- Will there be any impact to Directory Services?
- How long will the split and migration take?
- Will current data be copied to both tenants?
- Are there any required Customer actions before to the tenant split?
- Are there any required Customer actions after the tenant split?
- How will I know when the maintenance is complete?
- Who should I contact for issues after the migration is complete?
- Who do I contact for other questions related to my migration?
1. Why are Idaptive and Centrify performing these changes?
As part of the business separation of Idaptive from Centrify, the migration of Application and Endpoint services from the Centrify cloud to Idaptive cloud is expected to start beginning October 2019. After the split, customers will have access to two independent tenants - an Idaptive tenant and a Centrify tenant.
2. What is Changing?
As the name implies, existing tenants will be split into two separate tenants. One tenant for Centrify functionality and experience within the Centrify production cloud service and one tenant for Idaptive functionality and experience within the Idaptive production cloud service.
After the migration, the Idaptive tenant will become the authoritative identity provider (IDP) for the Centrify tenant via an automatically inserted Federated relationship, allowing for a consistent sign-in experience to either product. A Centrify Privileged Access Service (PAS) application will be available within the Idaptive User Portal after the migration for easy access to PAS services within the Centrify portal. All existing roles, rights, and rights assignments will exist in both tenants.
3. Will the tenant URL change?
The tenant ID for Idaptive or Centrify tenants will not change during the migration. The default URL for Idaptive tenants will retain *.centrify.com and a new tenant URL named *.idaptive.app will be added to the Idaptive tenant after migration as an additional URL. The tenant URL for Centrify cloud services will change from centrify.com to centrify.net. Before the split, centrify.net will become available on September 30th, 2019 which will provide customers an opportunity to update any bookmarks and Centrify PAS integration URLs. All existing URLs will continue to work as normal before the migration.
4. Will there be an impact on connectors?
After the tenant split is completed, Centrify connectors will work with the Centrify tenant and Idaptive connectors will work with the Idaptive tenant.
All connectors must be at or above version 19.5 before the split. The recommendation for the least disruption during the initial split is to co-host the Idaptive connectors on the same machine running the Centrify connectors.
- Automatic Installation Method - If all existing Centrify connectors are running version 19.5 (or higher), and the auto-update option is enabled, Idaptive can automate download and installation of connectors on your behalf to be deployed on machines running the Centrify connector.
- Manual Installation Method - If auto-update is not enabled on all connectors and the connector is not updated to 19.5, then customers must manually download, install and register Idaptive connectors.
Please notify Idaptive for your installation preference by sending email to firstname.lastname@example.org.
Installation of new Centrify connectors must specify the specific tenant url.
- When registering the newly installed connector after entering the admin credentials, click the Advanced button. Enter your Centrify tenant URL.
- Example: abc1234.my.centrify.net
Note: Connector affinity for App Gateway settings is automatically mapped from the Centrify connector to the appropriate Idaptive connector that is running on the same connector host during the split process. If Customers choose to deploy Idaptive connectors on new hosts, all connector affinity for features such as app gateway will not be migrated. These features will instead default to their ‘Use All Available Connector’ modes.
5. Will there be an impact to end-users?
All tenant services will be unavailable for a brief period during the move maintenance window. The amount of time for the move varies depending on the size of the tenant. In most cases, the expected maintenance window is only a few minutes (5-10) but can take up to an hour for large tenants.
After the split, customers will have access to two independent tenants. These tenants will take the form of an Idaptive tenant and a Centrify tenant. Users signing into the Centrify tenant will flow through Idaptive as the federated Identity Provider (IDP). Be sure to communicate these changes to your end-users before the split.
For additional information on business partner federation, please refer to Idaptive Online Documentation.
6. Will there be an impact to the Windows agent (DZWin) and ZSO?
Customers who use Direct Authorize for Windows (DZWin) with ZSO will need to remove personalization and re-personalize after migration by right-clicking the system tray agent icon. New installations performed after the migration will not be required to re-personalize.
7. Will there be an impact to existing applications?
All applications will be moved and available via the Idaptive tenant post-split and are expected to work without modification. The Centrify tenant will start with an empty list of deployed applications. The only exception is OAuth Client applications, which will remain in the Centrify tenant and also be copied to the Idaptive tenant. Outbound provisioning will continue to function post-split from the Idaptive tenant. Centrify will no longer have application provisioning capabilities.
Note: If administrators have configured any applications using the generic URL of cloud.centrify.com instead of the tenant-specific URL (<tenantID>.my.centrify.com), these applications will fail to redirect to the correct tenant after migration. Please review and update your current deployed app configurations in both the Admin Portal and Service Provider (SP) portals before your scheduled migration.
8. Will there be any impact to custom reports?
As part of the tenant split, reports will be duplicated and available on both Centrify and Idaptive tenants. Any custom reports with column aliases in the "where" clause of the SQL query will need to be updated. The column aliases will need to be replaced with actual column names for the report to work successfully on the Idaptive tenant post split.
As an example, the following SQL query:
Select username as name from user where name = ‘ joe’
will need to be modified as below:
Select username as name from user where username = ‘joe’
9. Will there be any impact on mobile devices?
All existing mobile devices that have been successfully enrolled using the Idaptive (or Centrify) mobile app will be moved and available via the Idaptive tenant post-split and are expected to work without modification.
For Centrify Privilege Access Service to work on a mobile, the Centrify mobile app will need to be installed.
Note: If administrators have enrolled any devices using the deprecated web URL of cloud.centrify.com/enroll instead of the Idaptive (or Centrify) mobile app, these devices will fail to redirect to the correct tenant after migration and must be enrolled again.
10. Will there be any impact on MFA push notifications?
For MFA push notifications to work against both Centrify and Idaptive tenants, customers are required to install the Centrify mobile app in addition to the Idaptive mobile app. A single mobile app, Centrify or Idaptive, will not be able to push MFA notifications for both of the tenants.
11. Will there be any impact to Managed Service Provider (MSP) tenants or child tenants (SMB)?
All existing SMB’s will be transferred to a newly created Idaptive MSP tenant. After the new MSP tenant is created, one-by-one the SMB’s will be copied to the new tenant and removed from the Centrify MSP tenant. Afterward, the Centrify tenant will then be split. The Centrify and Idaptive tenants resulting from the split will not have MSP capabilities. Only the newly created Idaptive MSP tenant will have MSP capabilities.
12. Will there be any impact to Analytics?
The Analytics service will continue to operate normally after the tenant split. There will be no impact on existing Customers.
13. Will there be any impact to RADIUS authentication?
After the tenant split is completed, RADIUS authentication will be available on the Centrify tenant. If RADIUS is required for the Idaptive tenant, kindly follow https://docs.idaptive.com/Content/CoreServices/Authenticate/RADIUSConfig.htm. If Centrify and Idaptive connectors are running on the same server, please ensure no port conflicts between Centrify and Idaptive RADIUS configuration. Please contact Idaptive support at https://support.idaptive.com or call the Idaptive support line at 408-495-8118 for any assistance with enabling this.
14. Will there be any impact to the SIEM integration?
The syslog writer configuration is configured to use the <tenant_id>.my.centrify.com and will continue to pull the events for that tenant (Idaptive). In order to pull Centrify tenant events, the SIEM setup will have to be followed again and when prompted for the tenant URL, the <tenant_id>.my.centrify.net URL should be used.
There is no impact to the SIEM integration with the Centrify agents.
15. Will there be any impact to Directory Services?
After the tenant split is completed, LDAP users will be able to successfully connect to the Centrify tenant. In order to allow LDAP users to login to the Idaptive tenant post-split, kindly take the below steps:
- Please add an Idaptive connector before split and add an LDAP service in the Admin Portal making a connection to the LDAP server through the Idaptive connector.
- If you have not had a chance to add an LDAP service in the Admin Portal through the Idaptive connector before split, please add it post-split
Please contact Idaptive support at https://support.idaptive.com or call the Idaptive support line at 408-495-8118 for any assistance with enabling this.
16. How long will the split and migration take?
The amount of time for the move varies depending on the size of the tenant. In most cases, the expected maintenance window is only a few minutes but can take up to an hour for large tenants.
17. Will current data be copied to both tenants?
During the split operation, tenant data replicated to both resulting tenants with some exceptions.
- The last 12 months of all events in the Events table will be copied to the Idaptive tenant. The Centrify tenant will continue to have all events. Post-migration, only those events related to each product will be recorded in their respective tenant moving forward, e.g. PAS events in the Centrify tenant, Idaptive events in the Idaptive tenant.
- U2F keys will continue to work via the Idaptive tenant (they will not be visible in the Centrify tenant), but will only work if the user is on the <tenant>.my.centify.com URL they used when the U2F key was registered. U2F keys can be re-registered to work with Centrify tenant post-split if desired for use in Step Up MFA policies within the Centrify product.
- Any existing partners (Federations, B2B, B2C) are moved to the Idaptive tenant.
- Inbound provisioning will continue to function post-split from the Idaptive tenant. Centrify will no longer have inbound provisioning capabilities.
- For some time before the migration, the creation and execution of new jobs will be disabled. Once migration is complete, all regularly recurring jobs will be resumed.
- Any current sessions (logged in users, OAuth2) or in-progress authentications (MFA) are not moved to new tenants; all users must log in again.
Note: The Idaptive tenant will be available and functional after the split completes, historical event data is then copied asynchronously and will become available over time as a result.
18. Are there any required Customer actions before the tenant split?
Please review the below section and complete the migration requirements before your scheduled migration time.
- Network and Firewall - Update firewall and network security. During the migration, Idaptive tenants will move from MS Azure to Amazon Web Services (AWS). Customers must whitelist the firewall and port resources listed in this document before your scheduled migration date. If the Idaptive connector is unable to establish a connection to *.idaptive.app, user login will fail. Customers must ensure connectivity to *.centrify.net before migration.Administrators can perform a simple test to quickly verify basic connectivity by entering the following URL into a web browser from a host running the Idaptive connector: https://connectivity.my.idaptive.app/my
- If the URL can be resolved, an Idaptive login page on AWS will be displayed. There is no need to login but confirms at a basic level the ability to reach AWS resources. Please review any firewall or email filters at your organization and update as needed prior to your scheduled move date as detailed in the Idaptive online documentation section Firewall and external IP address requirements if you are unable to resolve the URL.
- Multi-factor Authentication (MFA) - Customers must ensure all connectors be at or above version 19.5 before the tenant splits and it is required to follow Phase 1 of KB-17161: Preparing for the Tenant URL Change to centrify.net to explicitly define the MFA tenant URL to be the centrify.com domain. Once the migration is completed, it is required to follow Phase 2 of KB-17161: Preparing for the Tenant URL Change to centrify.net to configure MFA CDC agents, DZWin, and connectors to use the newer centrify.net domain.
- Applications - Custom scripts, applications or automation making use of OAuth credentials to call service API’s may need to be changed if targeted API is for Centrify functionality. In this case, the client application needs to be changed to use the <tenant>.my.centrify.net URL. No action required for Idaptive API usage.
- Bookmarks - Customers should update bookmarks in advance of the move. We suggest that any Centirfy Privileged Access Service (PAS) specific bookmarks be added/updated by those users who use PAS to <tenant>.my.centrify.net when available while existing Idaptive-specific bookmarks (<tenant>.my.centrify.com) will continue to work. Note: Idaptive specific bookmarks (<tenant>.my.idaptive.app) cannot be created or used until after the split.
- UNIX & Windows - Customers should, ideally, upgrade all Centrify Clients to 19.5 or higher for transparent tenant split. If unable to upgrade to 19.5 before the split, UNIX, Linux, and Windows clients must either be un-enrolled and re-enrolled using the new tenant URL or client URL settings on each host must be updated for continued functionality. The current version of all clients can be viewed by running the following custom report in the product:
SELECT Server.Name, Server.FQDN, Server.AgentVersion FROM Server WHERE Server.AgentVersion != “”
- ADFS Federation - When a tenant is configured to use ADFS as an IdP and the default tenant URL is changed from *.my.centrify.com to *my.idaptive.app, the service uses the new Idaptive domain in the Assertion Consumer Service (ACS) URL in SAML. Customers should refer to Idaptive article KB-8577: How to migrate ADFS settings from Centrify to Idaptive for steps to update the configuration.
- Browser Extension - Customers that have enabled the ‘Set browser extension version’ application policy should disable in the policies UI for all users to ensure compatibility when the Centrify and Idaptive browser extension are installed on the same machine. Older versions of the Centrify Browser Extension (CBE) cannot co-exist with the Idaptive Browser Extension (IBE).
19. Are there any required Customer actions after the tenant split?
Please review the below and complete the post-migration steps after your migration is complete.
- If Idaptive connectors were not installed on all machines running Centrify connectors before the split Customers must manually update the connector mapping for any App Gateway app where a corresponding Idaptive connector could not be found on the same connector host as the Centrify connector. For additional information, please refer to the Idaptive online help section Configuring App Gateway.
- U2F keys will only work when using the *.my.centrify.com hostname for which they were registered, which will now be the Idaptive tenant. Administrators that want to use their U2F keys with their Idaptive hostname (<tenant>.my.idaptive.app) must have their users re-register the keys.
- To use any U2F keys with the Centrify tenant, they must be re-registered by the user while signed into the Centrify tenant on the <tenant>.my.centrify.net URL.
- As all Federations (B2B and B2C) are moved to Idaptive it may be desirable to have a direct IDP->Centrify relationship depending on customer’s intent and desire. Re-creating the prior relationship by a cloudadmin within the Centrify tenant can now be done.
20. How will I know when the maintenance is complete?
You will receive an email notification directly when these updates are complete. After the maintenance, we recommend that you login to your Idaptive tenant and confirm the connector service is running and displays a connected state. Be sure to access applications and other services used regularly. To ensure the operation of migrated tenants and validate the proper configuration, Idaptive and Centirfy Operations will have limited, read-only access to tenant data for a brief period following migration. The token that allows this access will expire within 30 minutes.
We also encourage you to subscribe to Idaptive Trust at trust.idaptive.com and Centrify Uptime at uptime.centrify.com so we may send you alerts for future updates or changes with cloud service status. Customers that register will receive a separate email to confirm registration and you can easily manage your subscription or unsubscribe at any time.
21. Who should I contact for issues after the migration is complete?
If you encounter any production issues after your migration, Technical Support is the primary place to report or escalate any issues.
- Idaptive tenant-specific issues: Please contact Idaptive support at https://support.idaptive.com or call the Idaptive support line at 408-495-8118 for urgent assistance.
- Centrify tenant-specific issues: Please contact Centrify Support at https://www.centrify.com/support or call the Centrify support support line at 877-531-7809 for urgent assistance.
Sometimes, the best way to solve a problem is to grant Idaptive or Centirfy support read-only access to your tenant so engineers can review your tenant configuration. For more information, please refer to Centrify Online Documentation or Idaptive Online Documentation.
22. Who do I contact for other questions related to my migration?
If you have questions related to your migration or the FAQ's, please contact either of the email addresses below so we may respond to you quickly.