Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Preparing for your Privilege Management Deployment with the Centrify Infrastructure Service - Part 1

11 April,19 at 11:50 AM

There are a lot of configurations that can be done before importing systems and managing accounts for Privilege Management in our Infrastructure Service. 

  

Before you get started, you will need to choose a deployment option. Centrify offers two methods that you can choose from for your organization. You can choose to use our cloud based service or to manage your own systems with our on-premises customer-managed deployment option. 

 

If you are looking to try this out for the first time, then you can sign up for a trial here - https://www.centrify.com/free-trial/

 

-If you are going with the cloud deployment option, then you will need a Centrify tenant with the Privilege Service enabled. Your organization may already have one, but if not then you will need to start a new trial using the link above.

 

-If you are going with the customer-managed deployment option, then you will need to download and install the Centrify Privilege Service. If you have not purchased this software, then you can sign up for a trial using the link above.

 

-You will want to have at least two Centrify Directory Service accounts in System Administrator Role. This is to ensure that you are not the sole owner of administrative credentials to the service, in case of emergency. Also, it is a good practice to have some backdoor accounts that are still accessible in case the Active Directory connection is unavailable.

 

 System Administrator Role Memebers.png

 

 

 

 

 

 

 

 

 

 

 

Adding Centrify Directory Users

Creating Centrify Platform Administrators

System Administrator Role Permissions

 

-You will want to have a customized login suffix. This will be a unique suffix that your users will type to login. The login suffix also tell the authentication engine which identity repository and tenant to log a user into.

 

 Login Suffix.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Creating a login suffix

How to use login suffixes

 

-You will want to have a customized tenant URL configured. This URL should be easy for users at your company to remember. You can create it in your Admin Portal Settings > Customization > Login > Tenant URLs.

 

Tenant URLS.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 Tenant URLs

 

-You will want to define user security policies for login authentication to the Centrify Admin and User Portals.  You will want to determine wether additional forms of authentication, besides their passwords, will be required when users log in to the Centrify Platform. Enabling login authentication in the user security policies will allow you to set what conditions users are required to present a second or third authentication mechanism, like if they are outside of the corporate network.

 

Login Authentication User Security Policy.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Setting authentication policy controls 

Creating authentication rules

Creating authentication profiles

Authentication mechanisms

 

-If you are requiring a second or third authentication mechanism for login, then you will want to make sure that your users will be able to satisfy any authentication challenges that they are required to approve. 

 

What you need for each authentication mechanism

 

  • For SMS/text challenges, then check that the mobile attribute, specifically is set for your users in Active Directory and Centrify Directory. 

 

  • For phone call challenges, then check that any phone number attribute is set for your users in Active Directory and Centrify Directory

 

  • For email authentication mechanisms, check that the mail attribute exists and has been set for your users in Active Directory and Centrify Directory.

 

  • For RADIUS as an authentication mechanism, add the RADIUS server information, enable your Connector(s) to work as RADIUS clients, and enable the RADIUS policy. Also, the Connector(s) that you enable as RADIUS clients will need to be added to your RADIUS server  as a RADIUS client.

 

Enable 3rd Party RADIUS Authentication.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How to configure Centrify Identity Services platform for RADIUS

Configuring Connector as a RADIUS client

Configuring the Centrify Connector for use as a RADIUS client

Configuring a RADIUS server

 

  • If using OATH for MFA, configure OATH policy

 

Allow OATH OTP Intergration.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How to configure OATH OTP 

 

 

 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.