Centrify Integration

SiQ supports an integration with the Centrify (Privileged Identity Management system). This article will walk you through the steps required to connect SiQ with Centrify. You will need Centrify admin privileges to complete this integration.

The supported features are:

  • Push New Users - New users created through Centrify will also be automatically created inside SiQ.
  • Push Profile Updates - Updates made to users' profiles through Centrify will be pushed to SiQ.
  • Push User Deactivations - Deactivating the user or disabling use access to the application through Centrify will deactivate the user in the SiQ Web App. This will effectively delete the user from both systems.
  • Download Users from Third Party Apps - New users created in the third-party application will be downloaded and turned into new AppUser objects for matching against existing SiQ users.

Content

SiQ Actions

Log in to SiQ as an admin, and click on your profile name in the top right corner [1]. Select Settings [2], then scroll down to the Integrations section [3]. Click on Third Party Integrations [4]:

Navigate-Integrations.jpg

 

On the integrations page, you can either select Provisioning & SSO on the left [1] and click on the green Activate button [2], or you can type Centrify in search bar [3] and click on it in the search results [4]:

Navigate-Centrify.jpg

 

The Provisioning tab [1] contains the required SCIM Bearer Token field [2], and you should copy and paste that token to a secure location for use later on in the integration process. There is also a place for optional, custom field name json attributes you can add here [3]:

Centrify-Provisioning-Tab.jpg

 

The SSO tab [1] contains several fields that you will need to populate with data from Centrify, and one field that you will need to paste over to Centrify - The SAML Audience URI [2]. We'll describe where to find these values in the Centrify Actions section below:

SSO-Tab.jpg

 

Centrify / Idaptive Actions

Your Centrify / Idaptive Portal URL can be seen in your browser's URL bar when you log in to your account. It will take the form https://example.my.idaptive.app/. Copy that into the Centrify Portal URL field under the SSO tab in SiQ.

Next, ensure that the user's Centrify login name and domain suffix field on the user's account page corresponds to the user's company email.

If you are in the Admin Portal to begin with, you may need to switch to the User Portal to verify these details. In the top right corner, click on your user name [1]. If you are in the Admin Portal, click on the option to Switch to User Portal [2]:

Navigate.jpg

 

In the User Portal, click on Account [1], then Personal Profile [2], then examine your Centrify settings [3] to ensure the Suffix here matches the SiQ company domain [4]:

Centrify-Account-Settings-Suffix.jpg

 

Add the SiQ Web App 

This time you'll want to be in the Admin Portal of Centrify. Click on your username in the top right corner [1]. If you are not in the Admin Portal, you'll see the option to Switch to Admin Portal [2], assuming you have admin permissions:

Switch-to-Admin-Portal.jpg

 

Inside the Admin Portal look to the left to see an Apps section [1] where you'll click on Web Apps [2] then to the right click on the Add Web Apps button [3]:

Add-Web-App.jpg

On the Search tab [1] you can navigate to the Other category [2] or just type in SiQ into the search field [3]. When you find SiQ click on Add [4]:

Search-Add.jpg

Click through the confirmation screen to continue:

Confirmation.jpg

 

Settings

Once the SiQ application has been added inside Centrify, you'll be taken to the Settings page [1]. Here, the only required value is the SAML Audience URI [2] which will found inside SiQ under the SSO tab as described in the section above. Click on Save [3] before continuing:

Settings.jpg

 

Trust

On the Trust page [1], under Identify Provider Configuration, select Metadata [2] then expand the SAML Identify Provider Issuer field [3]. Copy this value [4] back to SiQ under the SSO tab as described above. On this same page expand the Signing Certificate field [5] and download the file [6]. Open it in a text editor, and copy and paste the X.509 certificate value into the appropriate field as described above:

Trust.jpg

 

Provisioning

On the Provisioning page [1] of your newly added app, check the Enable provisioning for this application option [2]. Make sure Live Mode is selected [3] and put https://api.spaceiq.com/scims/callback/ into the SCRIM Service URL [4]. Chose Authorization Header [5] and copy over the SCIM Bearer Token [6] from the Provisioning Tab in the SiQ integration setup page as described above. Click Save [7] when done:

Provisioning.jpg

 

Permissions

On the Permissions page [1] click on Add [2] to set up role(s) that represent the users and groups that have access to the application. Add users to their corresponding roles. When assigning an application to a role, select Automatic Install (the app will then appear automatically for users):

Permissions.jpg

 

On the Provisioning page after Verifying, make sure the following sync option boxes are checked:

Sync-Options.jpg

 

Role Mapping

On the Account Mapping page, map the roles (for example, Engineering, Marketing) to their destination groups (departments). Note that department mapping can be done in two ways:

  • Additional attributes under Customization
  • Assigning each department to a role and then assign users to that role under Users => Roles.

Support for either approach is provided in the provisioning script listed in full below, where the role mappings code is commented out.

In Provisioning at the very bottom of the page, click Provisioning Script. When the script is expanded, add the following code and save the changes:

if (source.Classification == "User") {
destination.DisplayName = source.DisplayName;
destination.Username = source.CanonicalizeName;
destination.Email = source.Email;
var nameBits = source.DisplayName.split(" ");
destination.GivenName = nameBits[0];
destination.FamilyName = nameBits[nameBits.length - 1];

// Get manager value
var value = getSourcePropertyByName('reportsto');

// Add enterprise User scim and department val through additional attributes
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'department': source.Get('user_department'),
'manager':{displayName: value[0]}
};

// Add enterprise Use scim and department val through role mappings
/*
var val = source.Roles;
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'department': val[0],
'manager':{displayName: value[0]}
};
*/

// Add custom attributes
destination.userType = source.Get("user_type");
destination.title = source.Get("user_title");

// For generic SCIM service
destination.OfficePhone = source.OfficePhone;
destination.MobilePhone = source.MobilePhone;
destination.HomePhone = source.HomePhone;
}

if (source.Classification == "Group") {
propArr = getSourcePropertyByName("name");
if (propArr && propArr.Length) {
destination.DisplayName = propArr[0];
}
}

 

If both departments and teams need to be provisioned, also add this code in the provisioning script:

 // Add enterprise user scim and department val through additional attributes
destination['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'] = {
'division': source.Get('user_department'),
'department': source.Get('user_team')
};

  

Troubleshooting

  • Users without First Name or/and Last Name in their Centrify profiles cannot be imported to SiQ as new users.
  • Centrify Users without Departments will be created with default department with the name “__No_Department__"
  • In the event that a department also has teams (sub-departments), SiQ expects Organizations / Divisions which contain top level organization and department to also contain Team name. For example:
    • Organization: Engineering, with Department: QA
0 out of 0 found this helpful
Have more questions? Submit a request