Integrate with Centrify Idaptive

Overview

Integrating Centrify Idaptive Single Sign-On (SSO) is a quick and easy process. There are only two pieces of information we are going to copy and paste from one system to the other.

  • The Frame SAML2 Integration Name. This is a name you pick when you create the SAML authentication integration. The name should be something no one else has used across the platform. It should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive in that you will need to use this name exactly as it appears in later steps in this guide; upper and lower case matter.

Note

The SAML2 integration name you choose will be displayed on the SSO login button used by anyone attempting to log in to the platform.

  • The Centrify Federation Metadata URL. This URL contains the SAML2 metadata needed for your account.

Following the steps below, this process should take less than fifteen minutes.

Create the SAML2 Authentication Integration Provider in Frame

  1. A SAML2 authentication integration can be configured at any level (depending on administrative access) by navigating to the Admin page and clicking on the ellipsis listed next to the desired entity name. Select “Edit” from the menu that appears.
../../_images/authnav1.png
  1. Navigate to the “Security” tab and enable the “SAML2” toggle under “Authentication.”
../../_images/authnav2.png
  1. Once the setting is saved, the “SAML2 Providers” tab will appear. Navigate to this tab and then click “Add Provider.”
../../_images/image99.png
  1. A new window will appear prompting you to enter some information.

    ../../_images/centrifyauthexample.png
    • Application ID: The Application ID identifies a partner across federation interactions and can be set to any DNS-compliant string. In this example, we will use frame-idaptive. Centrify Idaptive also refers to this as the “Application ID” in their setup. Please do not use this name for your own integration.
    • Auth provider metadata: Enter the Centrify metadata URL here. If you have not yet obtained this piece of information, you can enter any URL to proceed at this point of integration and update the field with the correct URL later.
    • Name: Enter your unique SAML2 Integration name here. The name should have only letters, numbers, and the dash symbol; no spaces or punctuation are allowed. It is also case-sensitive. We will use the SAML2 integration name docs-auth-idaptive for this example. Please do not use this name for your own integration.
    • Authentication token expiration: Set the desired expiration time for the authentication token. This can range from 5 minutes to 7 days.
    • Signed response: Leave this toggle disabled. If you wish to use Signed SAML2 Responses, please contact Frame Support or your Account Manager for further instructions.
    • Signed assertion: Enable this toggle.
  2. In order to add Idaptive metadata, we will need to open up a new tab to begin Idaptive setup. Leave the “Add a SAML2 identity provider” window open so we can enter the metadata information later on.

Configure Idaptive

  1. In a new tab, log into your Centrify Idaptive admin console. You will automatically be taken to the “Dashboards” page. Click the arrow next to “Apps” on the sidebar and select “Web Apps.”
../../_images/centrify1.png
  1. At the top of the “Web Apps” page, click “Add Web Apps.”
../../_images/centrify2.png
  1. A new window will appear. Click on the “Custom” tab, scroll down until you find the “SAML” option, and click the “Add” button listed next to it.
../../_images/centrify3.png
  1. A prompt will appear asking you to confirm your choice. Click “Yes.” Now, click “Close” on the “Add a web app” panel.

  2. You will be taken to a new page to configure your Frame SAML application.

    ../../_images/centrify4.png
    • Name: Specify the name of the application here. You may optionally enter a brief description as well.
    • Logo: You may optionally add a Frame logo which you can find below.
    • Application ID: Enter the Application ID you specified earlier into this field. For this example, we set the Application ID to frame-idaptive.
../../_images/XiFrame_logo.png
  1. Click “Save” once you have entered all of the information.
  2. Now click on the “Trust” page listed on the left sidebar. Under “Identity Provider Configuration,” you will see a few options for obtaining metadata. Click “Copy URL” and switch back to your Frame tab. Paste the URL into the “Auth provider metadata” field. Click “Add” at the bottom of the window.
../../_images/centrifyURL.png
  1. Your new integration will populate as a listed item under the “SAML2 providers” section, as shown below:
../../_images/centrify4a.png
  1. Go back to your Centrify tab. Under “Service Provider Configuration,” enter your service provider metadata URL from Frame in the following format:

    https://img.frame.nutanix.com/saml2/metadata/[SAML_INTEGRATION_NAME]/
    

Referencing the SAML2 integration name we set in step 4, our example service provider metadata URL would be:

https://img.frame.nutanix.com/saml2/metadata/docs-auth-idaptive/
  1. Click “Load” next to the URL field. Your will see your Frame metdata automatically load into the XML field, as shown below. Click “Save” at the bottom of the page.
../../_images/centrify4b.png
  1. Next, click on the “SAML Response” page listed on the left sidebar. Add the following attributes as shown in the example below. Click “Save” at the bottom of the page after entering the attributes.
../../_images/centrify5.png
  1. Click on the “Permissions” page listed on the left sidebar. Click the “Add” button at the top of the page.
../../_images/centrify6.png
  1. For testing purposes, we will give “Everybody” permission by using the search bar at the top of the page. You may add a different permission set that fits your organization. Check the box next to your permission set and click “Add” at the bottom of the page.

Note

You must add a set of permissions in order for your SAML2 integration to work with Frame. Frame recommends temporarily adding “Everybody” as a permission to test the integration. You can modify permissions later, once the integration has been set up successfully.

../../_images/centrify7.png
  1. Click “Save” on this page. You will notice that the status of your web app will update to “Deployed.” You may now close your Idaptive admin console.
../../_images/centrify8.png

Configure SAML2 Permissions

Once the IdP is successfully configured on Frame, administrators will need to configure the authorization rules for the account from the “SAML2 Permissions” tab listed to the right of the current tab. Read more about user roles and permissions on our “User Permissions” section.

../../_images/saml2permissions.png

Using Idaptive as a SAML2 Authentication Integration

Your new SAML2 auth integration will appear as button on your Xi Frame login page. The URL for navigating to your Xi Frame login page will vary depending on which level the SAML2 integration was configured.

Customer level:

https://frame.nutanix.com/[customer_URL]/

Organization level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/

Account level:

https://frame.nutanix.com/[customer_URL]/[organization_URL]/[account_URL]/
../../_images/finalcentrify.png