Centrify Integration

Customer IT / SpaceIQ Onboarding Team

 

SiQ supports integration with Centrify (Privileged Identity Management system). This article will walk you through the steps required to connect SiQ with Centrify. 

The supported features are:

  • Push New Users - New users created through Centrify will also be automatically created inside SiQ.
  • Push Profile Updates - Updates made to users' profiles through Centrify will be pushed to SiQ.
  • Push User Deactivations - Deactivating the user or disabling use access to the application through Centrify will deactivate the user in the SiQ Web App. This will effectively delete the user from both systems.
  • Download Users from Third Party Apps - New users created in the third-party application will be downloaded and turned into new AppUser objects for matching against existing SiQ users.

Content

Prerequisites

You will need Centrify admin privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.

Integration Activities

Step 1. Activate the Centrify Integration in SiQ

From the SiQ Web App, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.

You can either search for Centrify in the Search field or navigate to Centrify tile. To navigate complete the following:

  1. From the left menu, click Provisioning & SSO.
  2. For Centrify, click the Activate button.

The Centrify dialog displays and it contains the Provisioning tab and the SSO Tab.

Provisioning Tab

The Provisioning tab contains the required SCIM Bearer Token field, and you can copy and paste that token to a secure location for use later on in the integration process. Also, the SCIM schema custom attributes field, can be used for custom field name json attributes.

centrify1.png

SSO Tab

The SSO tab contains several fields that you will need to populate with data from Centrify, and one field that you will need to paste over to Centrify is the SAML Audience URI. We'll describe where to find these values in the Centrify Actions section below.

centrify2.png

Step 2. Set Centrify / Idaptive

Step 2.1 Set up the Centrify Portal URL

Your Centrify / Idaptive Portal URL can be seen in your browser's URL bar when you log in to your account. It will take the form https://example.my.idaptive.app/. Copy the URL into the Centrify Portal URL field under the SSO tab in SiQ.

Step 2.2 Check the user's Centrify login name and domain suffix

Next, ensure that the user's Centrify login name and domain suffix field on the user's account page corresponds to the user's company email.

If you are in the Admin Portal, to begin with, you may need to switch to the User Portal to verify these details. In the top right corner, click on your user name [1]. If you are in the Admin Portal, click on the option to Switch to User Portal [2]:

Navigate.jpg

 

In the User Portal, click on Account [1], then Personal Profile [2].

Make sure your Centrify settings' Suffix [3] matches the SiQ company domain [4].

Centrify-Account-Settings-Suffix.jpg

 

Step 2.3 Add the SiQ Web App 

This time you'll want to be in the Admin Portal of Centrify. Click on your username in the top right corner [1]. If you are not in the Admin Portal, you'll see the option to Switch to Admin Portal [2], assuming you have admin permissions.

Switch-to-Admin-Portal.jpg

 

Inside the Admin Portal look to the left to see an Apps section [1] where you'll click on Web Apps [2].

Click on the Add Web Apps button [3].

Add-Web-App.jpg

On the Search tab [1] you can navigate to the Other category [2] or just type in SiQ into the search field [3].

When you find SiQ click the Add button [4].

Search-Add.jpg

Click through the confirmation screen to continue.

Confirmation.jpg

 

Step 2.4  Set up the SAML Audience URI

When the SiQ application has been added inside Centrify, you'll be taken to the Settings page [1].

Here, the only required value is the SAML Audience URI [2] which will found inside SiQ under the SSO tab as described in the section above.

Click the Save button [3].

Settings.jpg

Step 2.5 Set up the Trust

On the Trust screen[1], under Identify Provider Configuration, select Metadata [2] then expand the SAML Identify Provider Issuer field [3].

Copy this value [4] back to SiQ under the SSO tab as described above.

On this same page expand the Signing Certificate field [5] and download the file [6].

Open it in a text editor, and copy and paste the X.509 certificate value into the appropriate field as described above.

Trust.jpg

Step 2.6 Set up the Provisioning

On the Provisioning screen [1] of your newly added app, check the Enable provisioning for this application option [2].

Make sure Live Mode is selected [3] and put https://api.spaceiq.com/scims/callback/ into the SCRIM Service URL [4].

Chose Authorization Header [5] and copy over the SCIM Bearer Token [6] from the Provisioning Tab in the SiQ integration setup page as described above.

Click the Save button [7].

Provisioning.jpg

Step 2.7 Set up the Permissions

On the Permissions screen [1] click the Add button [2] to set up role(s) that represent the users and groups that have access to the application. Add users to their corresponding roles. When assigning an application to a role, select Automatic Install (the app will then appear automatically for users).

Permissions.jpg

On the Provisioning screen after Verifying, make sure the following sync option boxes are checked.

Sync-Options.jpg

Step 2.8 Role Mapping

On the Account Mapping screen, map the roles (for example, Engineering, Marketing) to their destination groups (departments). Note that department mapping can be done in two ways:

  • Additional attributes under Customization
  • Assigning each department to a role and then assign users to that role under Users -> Roles.

Support for either approach is provided in the provisioning script listed in full below, where the role mappings code is commented out.

In Provisioning at the very bottom of the screen, click Provisioning Script. When the script is expanded, add the following code and save the changes:

if (source.Classification == "User") {
destination.DisplayName = source.DisplayName;
destination.Username = source.CanonicalizeName;
destination.Email = source.Email;
var nameBits = source.DisplayName.split(" ");
destination.GivenName = nameBits[0];
destination.FamilyName = nameBits[nameBits.length - 1];

// Get manager value
var value = getSourcePropertyByName('reportsto');

// Add enterprise User scim and department val through additional attributes
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'department': source.Get('user_department'),
'manager':{displayName: value[0]}
};

// Add enterprise Use scim and department val through role mappings
/*
var val = source.Roles;
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'department': val[0],
'manager':{displayName: value[0]}
};
*/

// Add custom attributes
destination.userType = source.Get("user_type");
destination.title = source.Get("user_title");

// For generic SCIM service
destination.OfficePhone = source.OfficePhone;
destination.MobilePhone = source.MobilePhone;
destination.HomePhone = source.HomePhone;
}

if (source.Classification == "Group") {
propArr = getSourcePropertyByName("name");
if (propArr && propArr.Length) {
destination.DisplayName = propArr[0];
}
}

If both departments and teams need to be provisioned, also add this code in the provisioning script:

 // Add enterprise user scim and department val through additional attributes
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'division': source.Get('user_department'),
'department': source.Get('user_team')
};

Troubleshooting

  • Users without First Name or/and Last Name in their Centrify profiles cannot be imported to SiQ as new users.
  • Centrify Users without Departments will be created with default department with the name “__No_Department__"
  • In the event that a department also has teams (sub-departments), SiQ expects Organizations / Divisions which contain top-level organization and department to also contain Team name. For example:

Organization: Engineering, with Department: QA

0 out of 0 found this helpful
Have more questions? Submit a request