Page tree
Skip to end of metadata
Go to start of metadata

SAML 2.0 Centrify Identity Service Integration

This topic will enable you to set up Centrify Identity Service with SAML single sign-on to manage access to a  Agiloft knowledgebase. For more information on SAML configurations, see SAML 2.0 SSO. Note that the steps in this topic will vary depending on the environment in which they are being implemented. Contact  Agiloft support if you need more assistance.

Prerequisites

  • A Centrify account with administrator access, and administrator-level login credentials for  AgiloftYou can sign up for a free trial account to use for testing.

Add SAML 2.0 to the Knowledgebase

  1. In the knowledgebase, if you do not want users to be automatically created in Agiloft when they first log in via Centrify SAML, create the users first and assign them to the appropriate Groups and Teams. 
  2. Navigate to Setup > Access > Configure SAML 2.0 Single Sign-On.
  3. Click Download SAML 2.0 Service Provider Metadata, and save the file to an accessible location on your drive.  
  4. In the General tab of the SAML Configuration wizard, select Enable SAML SSO. 
    1. If desired, select Create SAML IdP Authenticated user in Agiloft and Update User fields on subsequent logins by an existing user. See SAML 2.0 SSO for more information on these options. 
  5. Select the Service Provider Details tab.
    1. Leave the first two fields as they are - this will be used to fill in Centrify fields below.
    2. For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
      1. If you are using Agiloft's hosted service, the fields will be populated by Support.
      2. If you are using an in-house server where Agiloft is installed,  see Generate a Keystore File, and refer to this information to populate these fields.
  6. Click Finish. In the Setup > Access window, click Download SAML 2.0 Service Provider Metadata.
    Download SAML 2.0 Service Provider Metadata
    1. Download the XML file to a location on your system. 
  7. Click Download X.509 Certificate.
    Download x.509 Certificate
    1. Download the certificate to a location on your system. 

Create a Web App in Centrify 

Note: we recommend having both the  Agiloft knowledgebase and your Centrify account open at the same time for this configuration. 

  1. Login to the Centrify Cloud Manager using your administrator credentials; for example, https://aas0111.my.centrify.com.
    1. Click Apps in the left pane, then click Add Web Apps. 
      Add Web App
    2. In the dialog box, select the Custom tab, then scroll down to Add SAML, then confirm. 
    3. Close the dialog box. You will be directed to the Application Settings window for the SAML application. 
  2. Select Description.
    1. Add an Application Name, Application Description, Category and Logo.
    2. Click Save.
      SAML Description Settings

Establish the SAML Connection to  Agiloft

  1. In Centrify, select Application Settings. At this point you will need to go between the SAML wizard in  Agiloft and the Application Settings in Centrify to fill in the values. Fill in the Centrify values from  Agiloft as follows, beginning in the Service Provider Details tab:
    1. Assertion Consumer Service URL - use the SAML V2 Assertion Consumer Service (ACS) Endpoint value.
    2. Issuer - use the Agiloft (SP) Entity ID value. 
    3. Scroll down to Additional Options and click the arrow to expand the options. 
    4. Select the Show in user app list checkbox. This will enable you to log in directly from the Centrify App list. 

    5. At the top of the window, click Upload SP Metadata.
      1. Select Upload SP Metadata from a file. Click Browse.
      2. Navigate to the location of the metadata XML file you downloaded earlier. and select it.
      3. Click OK. 
    6. Select Encrypt Assertion.
      1. Click Browse and navigate to the X.509 certificate you downloaded earlier. 
      2. The file will be uploaded, and the encryption assertion details will be shown. 
        Encrypt Assertion
  2. In  Agiloft, select the Identity Provider Details tab. Fill in the following details from the the Identify Provider Info section of Application Settings in Centrify:
    1. IdP Entity ID/Issuer - enter any value, or use the same URL as the Agiloft (SP) Entity ID in the Service Provider Details tab
    2. IdP Login URL - Identity Provider Sign-in URL
    3. IdP Provided X.509 certificate contents - Click Download Signing Certificate and save the file to a location on your system. Open the .cer file in a text editor, copy the contents, and paste them into the Agiloft field. 
  3. In Agiloft, click Finish. In Centrify, click Save. 

At this point, the initial SAML configuration should be complete. Now you should create Centrify and  Agiloft users.

Assign Centrify Users to the Application

If you do not already have a list of users and roles in your organization's Centrify account, begin by defining the roles you will need.  Then in Centrify, add, invite or import them, and set up their roles. For more information on these processes, see the Centrify Documentation.

  1. Once the roles have been created, in Centrify, select Apps, then open the SAML application. 
  2. Select User Access, then select the roles that should be allowed to access the  Agiloft application via Centrify. 

    User Access
  3. Click Save. 

At this point, the users who were assigned roles will now be able to access the   Agiloft knowledgebase by pointing their browsers to the URL below:

https://[agiloftserver]/gui2/samlssologin.jsp?project=KB_NAME.

Example

 https://server.agiloft.com/gui2/samlssologin.jsp?project=Centrify

In addition, a user can login to the  Agiloft GUI from the Centrify apps dashboard in the User Portal by clicking on the appropriate application icon. 

For more information on creating the Group and Team mappings in  Agiloft, see Configure Agiloft.

Automatically Create and Update Users

It is possible to configure SAML to create or update users in Agiloft when they log in. For more information on this feature, see SAML Automatic User Provisioning.

Dynamic Group and Team Mapping

A standard configuration will assign a fixed Group and Team mapping to which any new user created via  Agiloft SAML SSO user provisioning will belong. However, it is also possible to allocate users to different Groups or Teams from within Centrify. To set up dynamic Group and Team mapping...

  1. Create all of the Groups and Teams that will be assigned dynamically within  Agiloft. If a new Group or Team is added to the Active Directory or repository used by Centrify, then they should also be added to  Agiloft
  2. In the Centrify Cloud Management portal...
    1. Open the Application you created for accessing  Agiloft.
    2. Click Advanced to open the Advanced settings screen.
    3. Lines 1-7 will already be populated, if the configuration has been set up correctly. Add the following line, which will specify that the Groups associated with a user will be sent in an attribute called "Group" in the SAML authentication response:

      setAttributeArray('Groups', LoginUser.GetGroupAttributeValues("userprincipalname"));

      Note: there are several alternate ways of sending the group information as SAML attributes in the SAML response; for example:

      setAttributeArray('Groups', LoginUser.EffectiveGroupNames);
       
      Or
       
      setAttributeArray('Groups', LoginUser.GroupNames);

      SAML Attributes

    4. Do the same for the Team attributes, if needed. 
    5. Click Save.  You can use the Test button to verify the SSO token values that will be sent at runtime to  Agiloft.
  3. In  Agiloft...
    1. Log in as an admin user and navigate to Setup > Access > Configure SAML > User Group Mapping tab. 
    2. Select Map the group(s) from this SAML attribute, and fill in the group name with the name of the SAML attribute name you specified in the Advanced section of the Centrify application settings above. 
      Groups Mapping
    3. Choose whether to update the user groups on subsequent logins.
    4. If needed, open the User Team Mapping tab and select the Set the User's teams from the IdP checkbox, and name the SAML Team attributes, similar to above. 
    5. Select the Service Provider Details tab and click Finish. 

Dynamic Field Mapping

It is also possible to define the user fields dynamically, using similar steps to the dynamic group and team mapping. The examples below show you to map a user's First Name and Last Name between  Agiloft and Centrify. Other field attributes are done in the same way.

  1. In Centrify...
    1. Open the Application you created for accessing  Agiloft.
    2. Click Advanced to open the Advanced settings screen.
    3. See the example below:
    4. In lines 10-11, the FName and LName attributes are used to send the user's First Name and Last Name to  Agiloft
    5. Lines 13-14 show some examples of additional values for Department and Phone Number, which can be mapped from an Active Directory or LDAP repository, which the Centrify account is using to store user values. These examples assume that Active Directory or LDAP values of DEPT and PHONE exist.
  2. In  Agiloft...
    1. Log in as an admin user and navigate to Setup > Access > Configure SAML > User Field(s) Mapping tab.
    2. Enter the values that correspond to the SAML attributes in Centrify. 
    3. Select the Service Provider Details tab and click Finish to save the settings.