2 March,20 at 01:18 PM
Tenant Migration & Split FAQ for joint customers of Centrify and Idaptive
This article describes the overall process of splitting Idaptive and Centrify tenants as well as Customer actions which should occur at various stages of the move. A split tenant is defined as a joint customer of Idaptive and Centrify currently deployed as a single tenant in the Centrify production cloud service.
Please refer to article KB-17161: Preparing for the Tenant URL Change to centrify.net for information about the change to your Centrify URL.
For FAQ specific to Centrify tenants regarding the tenant split project, please refer to article KB-20123: Tenant URL change FAQ for Centrify Customers
The document is organized by impacted functional component. If not listed, the expectation is the functionality is not impacted.
1. Why are Idaptive and Centrify performing these changes?
As part of the business separation of Idaptive from Centrify, the migration of Application and Endpoint services from the Centrify cloud to Idaptive cloud is expected to start beginning October 2019. After the split, customers will have access to two independent tenants - an Idaptive tenant and a Centrify tenant.
2. What is Changing?
As the name implies, existing tenants will be split into two separate tenants. One tenant for Centrify functionality and experience within the Centrify production cloud service and one tenant for Idaptive functionality and experience within the Idaptive production cloud service.
After the migration, the Idaptive tenant will become the authoritative identity provider (IDP) for the Centrify tenant via an automatically inserted Federated relationship, allowing for a consistent sign-in experience to either product. A Centrify Privileged Access Service (PAS) application will be available within the Idaptive User Portal after the migration for easy access to PAS services within the Centrify portal. All existing roles, rights, and rights assignments will exist in both tenants.
3. Will the tenant URL change?
The tenant ID for Idaptive or Centrify tenants will not change during the migration. The default URL for Idaptive tenants will retain *.centrify.com and a new tenant URL named *.idaptive.app will be added to the Idaptive tenant after migration as an additional URL. The tenant URL for Centrify cloud services will change from centrify.com to centrify.net. Before the split, centrify.net will become available on September 30th, 2019 which will provide customers an opportunity to update any bookmarks and Centrify PAS integration URLs. All existing URLs will continue to work as normal before the migration.
4. Will there be an impact on connectors?
After the tenant split is completed, Centrify connectors will work with the Centrify tenant and Idaptive connectors will work with the Idaptive tenant.
All connectors must be at or above version 19.5 before the split. The recommendation for the least disruption during the initial split is to co-host the Idaptive connectors on the same machine running the Centrify connectors.
Please notify Idaptive for your installation preference by sending email to customersuccess@idaptive.com.
Installation of new Centrify connectors must specify the specific tenant url.
Note: Connector affinity for App Gateway settings is automatically mapped from the Centrify connector to the appropriate Idaptive connector that is running on the same connector host during the split process. If Customers choose to deploy Idaptive connectors on new hosts, all connector affinity for features such as app gateway will not be migrated. These features will instead default to their ‘Use All Available Connector’ modes.
5. Will there be an impact to end-users?
All tenant services will be unavailable for a brief period during the move maintenance window. The amount of time for the move varies depending on the size of the tenant. In most cases, the expected maintenance window is only a few minutes (5-10) but can take up to an hour for large tenants.
After the split, customers will have access to two independent tenants. These tenants will take the form of an Idaptive tenant and a Centrify tenant. Users signing into the Centrify tenant will flow through Idaptive as the federated Identity Provider (IDP). Be sure to communicate these changes to your end-users before the split.
For additional information on business partner federation, please refer to Idaptive Online Documentation and article KB-28704: Considerations for preparing for Split Tenant - Partner Federations
6. Will there be an impact to the Windows agent (DZWin) and ZSO?
Customers who use Direct Authorize for Windows (DZWin) with ZSO will need to remove personalization and re-personalize after migration by right-clicking the system tray agent icon. New installations performed after the migration will not be required to re-personalize.
7. Will there be an impact to existing applications?
All applications will be moved and available via the Idaptive tenant post-split and are expected to work without modification. The Centrify tenant will start with an empty list of deployed applications. The only exception is OAuth Client applications, which will remain in the Centrify tenant and also be copied to the Idaptive tenant. Outbound provisioning will continue to function post-split from the Idaptive tenant. Centrify will no longer have application provisioning capabilities.
Note: If administrators have configured any applications using the generic URL of cloud.centrify.com instead of the tenant-specific URL (<tenantID>.my.centrify.com), these applications will fail to redirect to the correct tenant after migration. Please review and update your current deployed app configurations in both the Admin Portal and Service Provider (SP) portals before your scheduled migration.
8. Will there be any impact to custom reports?
As part of the tenant split, reports will be duplicated and available on both Centrify and Idaptive tenants. Any custom reports with column aliases in the "where" clause of the SQL query will need to be updated. The column aliases will need to be replaced with actual column names for the report to work successfully on the Idaptive tenant post split.
As an example, the following SQL query:
Select username as name from user where name = ‘ joe’
will need to be modified as below:
Select username as name from user where username = ‘joe’
9. Will there be any impact on mobile devices?
All existing mobile devices that have been successfully enrolled using the Idaptive (or Centrify) mobile app will be moved and available via the Idaptive tenant post-split and are expected to work without modification.
For Centrify Privilege Access Service to work on a mobile, the Centrify mobile app will need to be installed.
Note: If administrators have enrolled any devices using the deprecated web URL of cloud.centrify.com/enroll instead of the Idaptive (or Centrify) mobile app, these devices will fail to redirect to the correct tenant after migration and must be enrolled again.
10. Will there be any impact on MFA push notifications?
For MFA push notifications to work against both Centrify and Idaptive tenants, customers are required to install the Centrify mobile app in addition to the Idaptive mobile app. A single mobile app, Centrify or Idaptive, will not be able to push MFA notifications for both of the tenants.
11. Will there be any impact to Managed Service Provider (MSP) tenants or child tenants (SMB)?
All existing SMB’s will be transferred to a newly created Idaptive MSP tenant. After the new MSP tenant is created, one-by-one the SMB’s will be copied to the new tenant and removed from the Centrify MSP tenant. Afterward, the Centrify tenant will then be split. The Centrify and Idaptive tenants resulting from the split will not have MSP capabilities. Only the newly created Idaptive MSP tenant will have MSP capabilities.
12. Will there be any impact to Analytics?
The Analytics service will continue to operate normally after the tenant split. There will be no impact on existing Customers.
13. Will there be any impact to RADIUS authentication?
After the tenant split is completed, RADIUS authentication will be available on the Centrify tenant. If RADIUS is required for the Idaptive tenant, kindly follow https://docs.idaptive.com/Content/CoreServices/Authenticate/RADIUSConfig.htm. If Centrify and Idaptive connectors are running on the same server, please ensure no port conflicts between Centrify and Idaptive RADIUS configuration. Please contact Idaptive support at https://support.idaptive.com or call the Idaptive support line at 408-495-8118 for any assistance with enabling this.
14. Will there be any impact to the SIEM integration?
The syslog writer configuration is configured to use the <tenant_id>.my.centrify.com and will continue to pull the events for that tenant (Idaptive). In order to pull Centrify tenant events, the SIEM setup will have to be followed again and when prompted for the tenant URL, the <tenant_id>.my.centrify.net URL should be used.
There is no impact to the SIEM integration with the Centrify agents.
15. Will there be any impact to Directory Services?
After the tenant split is completed, LDAP users will be able to successfully connect to the Centrify tenant. In order to allow LDAP users to login to the Idaptive tenant post-split, kindly take the below steps:
Please contact Idaptive support at https://support.idaptive.com or call the Idaptive support line at 408-495-8118 for any assistance with enabling this.
16. How long will the split and migration take?
The amount of time for the move varies depending on the size of the tenant. In most cases, the expected maintenance window is only a few minutes but can take up to an hour for large tenants.
17. Will current data be copied to both tenants?
During the split operation, tenant data replicated to both resulting tenants with some exceptions.
Note: The Idaptive tenant will be available and functional after the split completes, historical event data is then copied asynchronously and will become available over time as a result.
18. Are there any required Customer actions before the tenant split?
Please review the below section and complete the migration requirements before your scheduled migration time.
SELECT Server.Name, Server.FQDN, Server.AgentVersion FROM Server WHERE Server.AgentVersion != “”
19. Are there any required Customer actions after the tenant split?
Please review the below and complete the post-migration steps after your migration is complete.
20. How will I know when the maintenance is complete?
You will receive an email notification directly when these updates are complete. After the maintenance, we recommend that you login to your Idaptive tenant and confirm the connector service is running and displays a connected state. Be sure to access applications and other services used regularly. To ensure the operation of migrated tenants and validate the proper configuration, Idaptive and Centirfy Operations will have limited, read-only access to tenant data for a brief period following migration. The token that allows this access will expire within 30 minutes.
We also encourage you to subscribe to Idaptive Trust at trust.idaptive.com and Centrify Uptime at uptime.centrify.com so we may send you alerts for future updates or changes with cloud service status. Customers that register will receive a separate email to confirm registration and you can easily manage your subscription or unsubscribe at any time.
21. Who should I contact for issues after the migration is complete?
If you encounter any production issues after your migration, Technical Support is the primary place to report or escalate any issues.
Sometimes, the best way to solve a problem is to grant Idaptive or Centirfy support read-only access to your tenant so engineers can review your tenant configuration. For more information, please refer to Centrify Online Documentation or Idaptive Online Documentation.
22. Who do I contact for other questions related to my migration?
If you have questions related to your migration or the FAQ's, please contact either of the email addresses below so we may respond to you quickly.