Centrify is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access and file-sharing for heterogeneous systems.

Prerequisite

  • Partners must register with OpsRamp to get OpsRamp login credentials.
  • Provide your custom branding URL (such as <yourwebsitename>.opsramp.com).

Centrify configuration

To configure:

  1. Log into Centrify.
  2. Go to Apps > Add Web Apps > OpsRamp.
  3. From Custom App, click the SAML template and click Add.
  4. In Service Provider Info, enter:
    • Consumer service URL: https://<opsrampclientbrandingname>.opsramp.com/samlResponse.do
    • Issuer: https://<opsrampclientbrandingname>.opsramp.com/saml.do
  5. In Application Settings, enter:
    • Sign in URL
    • Error URL
    • Sign out URL
    • SAML Meta data URL
  6. Download the Centrify Signing certificate (saved with extension.cer). The certificate is used for OpsRamp configuration.
  7. Enter the following and Save:
    • Description: Enter a description for SAML App.
    • User Access: Enter permissions to the users to install the OpsRamp web app.
    • Account Mapping: Map the added OpsRamp web app to the user accounts with a mapping script and

OpsRamp configuration

To configure SSO integration:

  1. From All Clients, select a client.

  2. Navigate to Setup > Account.

  3. Select the Integrations and Apps tab.

  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.

  6. Search for Centrify using the search option available. Alternatively, use the All Categories option to search.

  7. Click +Add on the Centrify tile.

    SSO - Centrify configuration page

  8. Enter the following information in the Configuration page:

    • Metadata XML: Upload the XML file. This file will have all the information related to Issuer URL, Redirection URL, Logout URL, and Certificate. After you upload the Metadata XML file, these fields are automatically populated.
      Alternatively, you can enter the information in the fields manually.
    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate

  9. Provision Username as: There are two ways to provision a user. Select the appropriate option:

    • Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.

    • Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:

      • Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
      • Install the same identity provider across multiple OpsRamp tenants.
        Note: Once you enable this option and install the integration, you cannot revert your changes.
        Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.

  10. Click Next. The INBOUND screen is displayed.

    In the Inbound page, there are two sections: USER PROVISION and MAP ATTRIBUTES.

    USER PROVISION

    • JIT
    • NONE: Only the existing users will be able to login.

    JIT

    Following section describes JIT provisioning in detail.

    In the Inbound page:

    1. Click the edit icon, enter the following information, and click UPDATE USER PROVISION:

    Field NameField TypeDescription
    Provision TypeDropdownSelect provision type as JIT.
    When configuring the integration it is necessary to select the Provision Type - JIT to synchronize users when provisioning occurs.
    Default RoleDropdownThe required user role.
    Select JIT as user provision

    The details are updated and the USER PROVISION section displays the unique Tenant Prefix. These details are used when configuring Centrify Provisioning settings.

    User Provision screen

    MAP ATTRIBUTES

  11. Define the following Map Attributes:

    Note:

    • For JIT: The OpsRamp properties like Primary Email, First Name, Last Name, and Role are required.

    1. Click +Add in the Map Attributes section.
    2. From the Add Map Attributes window, enter the following information:

    User:

    1. Select OpsRamp Entity as User and OpsRamp Property as Role.
    Centrify Integration Inbound mapping attributes screen - User
    1. Centrify Entity: Enter the value.
    2. Centrify Property: Enter the value.
      In PROPERTY VALUES section:
    3. Centrify Property Value: Enter the Centrify property value.
    4. OpsRamp Property Value: Select the appropriate role corresponding to the Centrify Property Value.
    5. Click Save. The mapping is saved and displayed.
      To add more property values click +Property Value.
      User the Filter option to filter the map attributes.

    Similarly, map attributes for other entities.

    Note: If mapping for Time Zone is not provided, then organization timezone is considered by default.

    1. Click ADD MAP ATTRIBUTES.

    • Click the three dots (menu icon) available at the end of each row to edit or delete a map attribute.
    • Use Filter to filter the map attributes.

    Note: If Role is not configured in Map Attributes section, the Default Role provided in USER PROVISION section is considered for SSO.

  12. Click FINISH. The Centrify integration is installed and displayed under Installed Integrations.

Actions on Integration

You can perform actions like View Logs, Export, Edit, and Uninstall on the integration.

Audit Logs

View Inbound logs from the View Logs option for the integration. You can view if the event was successful or not.

See Audit Logs for more information.