For split tenants that have existing federations (external IDPs), it is essential to determine how each federation is to be handled on split.
For each existing Federation, it must be determined whether the federation applies to the Idaptive tenant only, the Centrify tenant only, or both tenants. The process for each case is detailed below.
Federations Are Tied to URLs (domains) and are Tenant Specific
It is important to note, that upon creation, a federation has been associated with a URL for the tenant, typically the tenant URL is <tenantId>.my.centrify.com. Existing federations will be tied to this URL, which will become the URL of the Idaptive tenant post split.
This also means that for existing Federations, if steps are not taken before the split to tag a Federation as retained by the Centrify tenant, all users for those federations will be deleted from the Centrify tenant post split. This has potential significant impact to the Centrify tenant as all deleted users lose all configured permissions and role memberships (such users arriving via the Idaptive tenant federation post split will be 'new' users).
Preparing Federations Before Tenant Split
Each existing federation of a tenant to be split must be evaluated whether it is B2C, B2B Idaptive Only, B2B Centrify only, or B2B for both tenants and appropriate actions taken.
B2C (Social) Federations
B2C or Social federations (Facebook, Linkedin, Google, Microsoft) are always Idaptive only; Centrify tenants do not support B2C federations.
No action necessary. The existing B2C federation(s) and their users will be automatically moved to the Idaptive tenant on split and will not exist in the Centrify tenant post split. All users of these federations will be removed from the Centrify tenant.
B2B Idaptive Only Federations
An Idaptive only B2B federation will contain users that only need access to the Idaptive tenant, not the Centrify tenant.
No action necessary. The existing BBC federation(s) and their users will be automatically moved to the Idaptive tenant on split and will not exist in the Centrify tenant. All users of these federations will be removed from the Centrify tenant.
B2B Centrify Only Federations or B2B Federations for Both tenants
A B2B Centrify only federation contains users that only need access to the Centrify tenant.
A B2B federation for both tenants contains users that need access to both the Idaptive and Centrify tenants.
For a B2B federation that is for Centrify only or for both tenants, a federation shadow must be created before the tenant is split. The shadow should use the centrify.net tenant URL rather than centrify.com. On split, the shadow federation will automatically become an active federation in the Centrify tenant, and will automatically pick up all existing federated users for the previous federation. The existing federation will be copied to the Idaptive tenant along with all federated users of the existing federation.
Creating a Federation Shadow
First navigate to Settings>Users>Partner Management
Check the box next to the partner and use the Actions drop down to select "Create Federation Shadow".
The shadow will need to be setup like a standard federation for the external IDP and will only use the centrify.net tenant URL. The Shadow on the Centrify side will need to have the data in the Inbound metadata tab configured appropriately from the outbound information for the external IDP.
On the IDP side, use the data from the outbound metadata tab for setup:
Note: Any existing federation on the IDP instance will need to be associated with the tenant's centrify.net tenant URL if previously configured with centrify.com.
Centrify Only Federations - Post Tenant Split
Once the tenant has been split, any Centrify only federations should be deleted from the Idaptive tenant via the manage portal. Note that Centrify only federations end up being moved to Idaptive during the split, to avoid any downtime (as disabling them before split would cause them to not function between disable time and actual split time).