There are a lot of configurations that can be done before importing systems and managing accounts for Privilege Management in our Infrastructure Service.
Before you get started, you will need to choose a deployment option. Centrify offers two methods that you can choose from for your organization. You can choose to use our cloud based service or to manage your own systems with our on-premises customer-managed deployment option.
If you are looking to try this out for the first time, then you can sign up for a trial here - https://www.centrify.com/free-trial/
-If you are going with the cloud deployment option, then you will need a Centrify tenant with the Privilege Service enabled. Your organization may already have one, but if not then you will need to start a new trial using the link above.
-If you are going with the customer-managed deployment option, then you will need to download and install the Centrify Privilege Service. If you have not purchased this software, then you can sign up for a trial using the link above.
-You will want to have at least two Centrify Directory Service accounts in System Administrator Role. This is to ensure that you are not the sole owner of administrative credentials to the service, in case of emergency. Also, it is a good practice to have some backdoor accounts that are still accessible in case the Active Directory connection is unavailable.
Adding Centrify Directory Users
Creating Centrify Platform Administrators
System Administrator Role Permissions
-You will want to have a customized login suffix. This will be a unique suffix that your users will type to login. The login suffix also tell the authentication engine which identity repository and tenant to log a user into.
-You will want to have a customized tenant URL configured. This URL should be easy for users at your company to remember. You can create it in your Admin Portal Settings > Customization > Login > Tenant URLs.
-You will want to define user security policies for login authentication to the Centrify Admin and User Portals. You will want to determine wether additional forms of authentication, besides their passwords, will be required when users log in to the Centrify Platform. Enabling login authentication in the user security policies will allow you to set what conditions users are required to present a second or third authentication mechanism, like if they are outside of the corporate network.
Setting authentication policy controls
Creating authentication profiles
-If you are requiring a second or third authentication mechanism for login, then you will want to make sure that your users will be able to satisfy any authentication challenges that they are required to approve.
What you need for each authentication mechanism
- For SMS/text challenges, then check that the mobile attribute, specifically is set for your users in Active Directory and Centrify Directory.
- For phone call challenges, then check that any phone number attribute is set for your users in Active Directory and Centrify Directory
- For email authentication mechanisms, check that the mail attribute exists and has been set for your users in Active Directory and Centrify Directory.
- For RADIUS as an authentication mechanism, add the RADIUS server information, enable your Connector(s) to work as RADIUS clients, and enable the RADIUS policy. Also, the Connector(s) that you enable as RADIUS clients will need to be added to your RADIUS server as a RADIUS client.
How to configure Centrify Identity Services platform for RADIUS
Configuring Connector as a RADIUS client
Configuring the Centrify Connector for use as a RADIUS client
- If using OATH for MFA, configure OATH policy
This Tech Blog is continued at this URL: Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 2