Introduction to application management

Transcription

1 Introduction to application management To deploy web and mobile applications, add the application from the Centrify App Catalog, modify the application settings, and assign roles to the application to specify who has access to the application. You can also configure the application so that it s automatically installed for users, or so that users can optionally add it as desired. In general, each user can access the web application either from a mobile device or the user web portal. In the user portal, users can see the applications deployed for automatic installation on the MyApps page. Users can add optional applications by clicking Add Apps. On mobile devices, users can see their automatically assigned web applications on the Apps tab of the WebApps screen in the Centrify Identity Services application. Optional web applications do not display on mobile devices. Users can add optional web applications by using the user portal, and then the applications display on the device. Users can see their optional mobile applications from the user portal MyApps page. For Samsung KNOX-capable devices, the following situations apply: If you have enabled the group policy to allow container creation, the web applications only display in the Centrify application inside the Samsung KNOX container regardless of whether or not the container is created yet. The web applications are not available outside of the container. If you haven t yet enabled the group policy to allow container creation, the web applications only display in the Centrify application on the device, outside of the Samsung KNOX container. Applications User Guide 1

2 Application types There are different types of applications that you can add and deploy to your users. The Centrify App Catalog lists the name and application type for each application. Web applications with user name and password authentication Some web applications are configured for user name and password authentication only. Web applications with SAML or WS-Fed authentication Some web applications are configured to exchange authentication information between an identity provider (IdP) and a service provider (SP) to allow users that have already signed in to one app, to access their other apps without signing in again. Two formats for this form of single sign-on (SSO) are SAML and WS-Federation. Mobile applications Some applications are available as mobile applications only, as web applications only, or as both mobile and web applications. Custom applications Introduction to application management 2

3 If your application is not listed in the catalog, you can use a custom template to provide access to that application through the user portal. The types of custom applications are listed here with links to more information about each type: Bookmark applications: link to the URL of the application without a login authentication mechanism. For more information, see Custom bookmark applications. Browser Extension applications: allow you to create web applications that are not in our catalog for which you want to provide single sign-on (SSO) that authenticates users with a user name and password, where the login pages are dynamic, use cookies, or when header information needs to be passed. For more information, see Custom browser extension user-password applications. Advanced Browser Extension applications: provide more flexibility for creating applications that are not in our catalog than the standard browser extension applications. Use this type when you want to provide user-password single sign-on (SSO) to a web application that requires a username and password where the login pages are dynamic, use cookies, or when header information needs to be passed. Additionally, it provides single sign-on to a web application that requires a user-specific URL or a web application that functions differently when launched in different browsers. For more information, see Custom Browser Extension (advanced) applications. NTLM and Basic applications: allow you to create web applications that aren t in our catalog and that use NTLM or HTTP Basic authentication. For more information, see Custom NTLM or HTTP Basic user-password applications. OpenID Connect applications: allow you to create web applications that aren t in our catalog and that use OpenID Connect authentication, use the custom OpenID Connect application template. For more information, see Custom OpenID Connect applications. SAML applications: allow you to create web applications that aren t in our catalog and that use SAML (Security Assertion Markup Language) for authentication. For more information, see Custom SAML applications. User-Password applications: allow you to create web applications that aren t in our catalog and if the application only supports user name and password authentication or if you don t want to configure the application for SAML SSO at this time. For more information, see User password applications. Applications User Guide 3

4 WS-FED applications: allow you to create web applications that aren t in our catalog and that use WS-Federation authentication. For more information, see Custom WS-Fed applications. Introduction to application management 4

5 Adding web applications by using Admin Portal You can add web applications and then configure and deploy them to users in one session. Alternatively, you can add the applications to your Admin Portal Apps page and then configure and deploy them at a later time. The Status column shows the application status see Application Status. You need to configure an application and deploy it to a role before users can use single-sign-on to access it. Note Users can also add web applications (user password applications only) from the user portal. See the user portal help for user specific information. You can, however, disable this feature see Managing device configuration policies on page 29. You can add web applications using the following methods: From the Centrify Identity Services App Catalog see Adding web applications by using Admin Portal. Using a template. You can use this method if the application is not in the application catalog. See Adding web applications by using Admin Portal. Using Centrify Identity Services Infinite Apps. You can use this method if the application is not in the application catalog. You can add an application using the App Capture feature in Centrify Identity Services Infinite Apps. See Adding web applications by using Centrify Infinite Apps. Cloning, exporting, and importing. Cloning is a time-saver when you need to have two similar but not identical configurations for the same application. Importing and exporting are useful when you want to assign an application that you have previously assigned in another instance for example, exporting an application from a pilot implementation and then importing it into a production environment. See Adding web applications by using Admin Portal for the details. Applications User Guide 5

6 Adding web applications from the Centrify Identity Services App Catalog The Centrify Identity Services App Catalog contains an ever-expanding list of web applications ready for assignment to users. If the web application is not in the catalog, you can open a template in the catalog and fill in the details. To add a web application from the App Catalog: 1. Log in to Admin Portal. 2. Click Apps > Add Web Apps. The Add Web Apps window opens. 3. Use the information on the Search tab to select the application or applications. See Using a templateto add an application using one of the application templates See Cloning, exporting, and importing web applications to add an application from another application that you previously exported. 4. Select the application or applications. 5. Click Close. Click the Add button to select one or more applications. You can continue to select categories and add more applications. You can add up to 30 applications in one session. If you change your mind, click Remove. If you added just one application, Admin Portal opens the configuration window for that application. If you added more than one application, Admin Portal opens the Apps page. You click the application name to configure it. Click Help for this application for the configuration instructions. Using a template The Centrify Identity Services App Catalog includes templates you can open and fill in to add applications. Click the Custom tab to display the list of templates. Click the information icon associated with each template for a description. To add an application from a template: Introduction to application management 6

7 1. Open Admin Portal and click the Apps tab. 2. Click Add Web Apps. This opens the Add Web Apps window. 3. Click the Custom tab. 4. Click Add for the template you want and click Yes in the confirmation window. 5. Click Close. This closes the Add Web Apps window and opens the configuration window. 6. Click Help for this application for the configuration instructions. Cloning, exporting, and importing web applications You can clone an existing application to save yourself some time assigning applications that have similar but different configurations. You can also export an application you have already configured in a test environment for example, so that you can import it into your production environment. Cloning an application When you need multiple instances of an application, each with a slightly different configuration, you can generate a clone and then modify just the properties that differ in the clone. When you create a clone, the copy has (Cloned) appended to the application name. Click the clone to modify the fields you need to change (including the application name). To clone an added on the Apps page: 1. Open Admin Portal and click Apps. 2. Right click the application and click Clone. Alternatively, you can open the application listing on the Apps page, click Actions, and then select Clone. Exporting one or more applications You can export one or more applications that you have already configured for use in another environment or as a back up. You can select multiple applications for Applications User Guide 7

8 export. Admin Portal creates a zip file you can then import into the other environment to add the applications. Note You cannot unpack the zip file and import individual applications if you export multiple applications. To export one or more applications: 1. Open Admin Portal and click Apps. 2. To export a single application, right click the application and click Export. To export multiple applications, select each application and click Export in the Actions menu. 3. Transfer the zip file to the target environment. Importing exported applications You add applications that you have exported using the zip file created by the Admin Portal Export command. Note You cannot unpack the zip file and import individual applications if you export multiple applications. To add applications using a zip file created by the Export command: 1. Open Admin Portal and click Apps. 2. Click the Add App button. 3. Click the Import button in the Applications Catalog window. 4. Navigate to the zip file created by the Export command and click Open. (Imported) is appended to the application name on the Apps page. 5. (Optional) Click the application to change the name using the Description properties. Introduction to application management 8

9 Viewing and sorting applications in the Apps page The Apps page lists all of the applications you have added to the identity platform. You can use the column headers to sort applications and quickly find the one you are looking for. Note Your role must have the identity platform Applications Management administrative right to view, add, and modify applications. Application Status An application can have one of the following statuses: Not Configured: (mobile applications) All required fields have not been defined. Ready to Deploy: (web applications) All required fields have not been defined and you have not assigned the user access. Deployed: All the required fields have been defined and user access has been assigned. Users assigned to the roles with this application deployed can now access the application from their Centrify Identity Services user portal or devices. Application Types You can also filter the applications displayed by type. Use the Search drop-down menu to select the type. The application types are defined as follows: Applications User Guide 9

10 Application type Android Custom Mobile Android Google Play Mobile Android Mobile Bookmark Web Custom Mobile ios ios App Store Mobile ios Custom Mobile Mobile SAML Web SSO Web User Password Web Web Description In-house applications for Android-based devices for which you supplied the binary file (*.apk). Android applications downloaded from Google Play. All Android applications Web applications launched using a browser bookmark (URL only) All ios and Android custom applications ios applications selected from the itunes App Store. The user downloads the application from the Apple App Store. ios applications downloaded from the App Store In-house ios applications for which you supplied the binary file (*.ipa). All ios and Android in-house applications. Web applications that use SAML for authentication Web applications that use either SAML,WS-Federation, or vendor specific federated authentication Web applications that use user name and password for authentication All Web applications. If you re an Express customer, you can add, remove, configure, and deploy up to three web and three mobile applications. If you re a licensed customer, you can add, remove, configure, and deploy unlimited web and mobile applications. If your license expires, all web and mobile applications return to Ready to Deploy status. SAML and WS-Federation SSO options Web applications that support SAML and WS-Federation can use the Centrify Identity Services to securely authenticate users. The Service Provider (SP), also called the Relying Party (RP), is the web application that users request to log in to via the Centrify Identity Services (also called the Identity Provider, IdP or Security Token Service, STS). A signing certificate (X.509), establishes a trust relationship between the SP and the IdP. The IdP uses the X.509 certificate to sign the XML and the SP checks the signature that it receives with a certificate it has on file. With that trust relationship in place, the SP consumes the assertion passed to it from the IdP and allows users to authenticate without requiring additional credentials. Introduction to application management 10

11 Web applications that support SAML and WS-Federation authentication offer the following authentication methods: IdP-initiated only IdP sends SAML Response/ Request Security Token Response (RSTR) to the SP. SP-initiated only The SP sends the SAML Request/ Request Security Token (RST) to the IdP; IdP sends SAML Response/ Request Security Token Response (RSTR) to the SP. IdP-initiated and SP-initiated Note The response is sent to the Assertion Consumer Service (ACS) URL configured during application setup. In most cases, if you use IdP-initiated SSO, your users can still access the application directly using their user name and password. If you use SP-initiated SSO, your users are redirected to the user portal if they attempt to log in directly to the web application. Some applications prevent user name and password logins. The following diagram illustrates the main differences between IdP-initiated and SP-initiated SSO. Applications User Guide 11

12 IdP-initiated SSO SP-initiated SSO 1 User logs on to the User Portal (IdP); IdP authenticates the user. 2 IdP generates a security token and redirects the user to the web application (SP site). 3 SP grants access to the user. 5 User accesses the web application (SP site). 6 SP redirects the user to the IdP. 7 IdP authenticates the user, generates a security token and redirects back to the web application (SP site). Introduction to application management 12

13 IdP-initiated SSO SP-initiated SSO 4 User is logged on to the web application. 8 SP grants access to the user. 9 User is logged on to the web application. If a RelayState is defined, the user is directed to the specified landing page. If a RelayState is defined, the user is directed to the specified landing page. Applications User Guide 13

14 Configuring Single Sign-On (SSO) The following diagram provides an overview of deploying an application to use single sign-on. If the web application uses SAML for single sign-on purposes, there are additional configuration options. For more information, see the instructions for the application you want to configure. To access application-specific instructions, click the Application Configuration Help link in the application setup page in Centrify Admin Portal, or search Centrify help for the application you want to configure. Application-specific settings are configured in the application configuration pages available once you add an application from the App Catalog (web apps or mobile apps). Some of the pages are required in order to deploy the application and others are optional or are not available. See the following for additional information on each configuration page: Configuration page Trust Additional Information Configure application-specific settings Enabling derived credentials Choose a certificate file Introduction to application management 14

15 Configuration page Settings User Access Policy Account Mapping SAML Response Linked Applications Provisioning App Gateway Changelog Workflow Restrictions (mobile apps only) Deployment Status (mobile apps only) Additional Information Changing the app name, description, or logo Specifying the Application ID Displaying the application in the user app list Deploying applications Specifying additional authentication control Map user accounts Editing the assertion script Adding and deleting linked applications Provisioning users Accessing applications outside the network Viewing a log of recent changes Setting up a request and approval workflow Set application restrictions View Deployment Status Applications User Guide 15

16 Configure applicationspecific settings On the Trust page, you configure the application-specific settings in order to connect the application to the Centrify Identity Services and enable SSO. Most applications require you to configure settings specific to that application, however the specific parameters may vary for each type of application (SAML, WS-fed, password). For information about choosing a security certificate file for an application, see Choose a certificate file. If your configuration supports using derived credentials to access your application, see Enabling derived credentials. For detailed configuration information for mobile and web applications, see Adding mobile applications, and Adding web applications Introduction to application management 16

17 Deploying the Centrify Identity Services User Portal application Users use the User Portal application for single-sign-on access to deployed applications. If the relevant policies have been configured, then users can also use the application to enroll devices and deploy applications. By default, this application is deployed to all users in the Everybody and Invited Users roles. If the user does not belong to either of these roles, you must assign this user to a role with the user portal application deployed before the user can access the user portal. See Deploying applications for the specific deployment instructions. Applications User Guide 17

18 Deploying applications You must assign applications to a role before users can use single sign-on for those applications. Centrify Identity Services deploys web and mobile applications to members of the role or roles you select. After you assign a web application to a role, the identity platform adds it to the role members Centrify Identity Services user portal. For users with enrolled devices, the web applications are also displayed on the device as follows: Android and ios devices: Web applications are displayed on the Web Apps screen in the Centrify application. On a Samsung KNOX Workspace device, web applications are displayed in Centrify for KNOX by default. You can also configure the device to show the applications in the Centrify application and Centrify for KNOX. After you assign mobile applications to a role, Centrify Identity Services adds them to the Mobile Apps area of the Centrify application on the device. You must be a member of the sysadmin role or a role that has Application Management permission to configure and deploy applications. You can assign applications to roles using two methods in Admin Portal: The User Access page in the application configuration area. The Assigned Applications page in the role configuration area. To assign an application to a role using the User Access page On the User Access page, add the role(s) that represent the users and groups that have access to the application. Introduction to application management 18

19 1. Click Add. 2. Select the roles that you want to access the application and then click Add. 3. Select whether you want the application to appear in the users' user app list and then click Save. Select Yes if you want to automatically add the app to the role members' user portal, the Web Apps screen in the Centrify application, and, on Centrify for KNOX workspace devices enabled for a KNOX mode container, in the Centrify for KNOX application. Select Recommended if you want to show the app only when a role member clicks Add App in the user portal. Applications User Guide 19

20 To assign an application to a role using the Assigned Applications page 1. Log in to Admin Portal. 2. Click Core Services > Roles. 3. Select the role to which you want to assign the application 4. Click Assigned Applications > Edit. 5. Drag the application or applications in the Available pane to the Selected pane. 6. Click Save. The Available pane lists the applications you have already added to the Apps page in Admin Portal it is not the full Centrify Identity Services App Catalog. The next time the role members open the user portal or refresh their window, the application is displayed. Introduction to application management 20

21 Deploying web applications to KNOX containers This section is for administrators assigning web applications to Samsung KNOX Workspace devices with a KNOX container only. Users open the Centrify for KNOX application installed inside a KNOX container to launch the web applications you assign to them. When you use the Centrify Identity Platform for mobile device management, Centrify for KNOX is automatically installed in the KNOX container when users create the KNOX container. Note If you are using another mobile device management provider, users must install the Centrify for KNOX application by some other means. In addition, KNOX SSO service must be enabled and the Centrify for KNOX application must be added to the Application SSO whitelist policy. Contact your mobile device management provider for the procedures. You use the same procedure to assign web applications to Centrify for KNOX that you use to assign applications to the Centrify application see Adding web applications by using Admin Portal. How the web applications are displayed on the devices depends upon whether you are using Centrify Identity Services for single sign-on alone or mobile device management and single sign-on. If you are using Centrify Identity Services for single sign-on only, the applications are always displayed in Centrify for KNOX. If users also install the Centrify application outside the container the web applications are listed on the Apps screen too. If you are using Centrify Identity Services for mobile device management as well as single sign on, the web applications you assign are displayed in Centrify for KNOX only. In this case, the Centrify application installed outside the container does not have a Web Apps screen. Note By default, Centrify Identity Services provides single sign-on for all SAML and user name password applications you assign to users. You can, however, disable single sign-on for one or more devices using the mobile device Disable SSO command (see Using Active Directory Users and Computers to manage devices Applications User Guide 21

22 on page 15 and Using the device management commands on page 19 for the details about the mobile device commands). Introduction to application management 22

23 Deploying mobile applications to KNOX containers This section is for administrators deploying a mobile application to devices with a Samsung KNOX container and are using Centrify Identity Services for Samsung KNOX device mobile device management. In many ways, deploying a mobile applications for installation in a Samsung KNOX container is the same as deploying a mobile application to any Android device. That is, You have the application s binary.apk file. You use Admin Portal to upload the.apk file and select a role to select which users get the application. You can configure the application for automatic or optional installation. If you select automatic, the application is installed without user prompting in the KNOX container if the container has already been created. If it has not, the application is installed automatically right after the container is created. If the application is configured for optional installation, the user must install it from the Centrify application. The application is listed in the Centrify application. Users can open the application either from the Centrify application in personal mode or by clicking the application s icon from the KNOX mode container. For devices that have a KNOX version 2 container, you use the procedures described in Adding and deploying mobile applications using Admin Portal to deploy mobile applications for installation in the container. However, there are a couple of differences, especially if you are deploying applications to devices with KNOX Version 1 containers: For KNOX version 2 containers, you can configure Android in-house applications for installation in either in personal mode or in the KNOX mode Applications User Guide 23

24 container. See Deploying inhouse Android applications to KNOX 2 containers for the details. For KNOX version 1 containers, mobile applications must be wrapped before they can be installed. If the application is not wrapped, it is installed in personal mode. See How developers prepare a mobile application for use in Samsung KNOX version 1 containers for the details. Applications that are downloaded from the Samsung KNOX Apps store to a KNOX version 1 container do not need to be wrapped separately (they are already wrapped). Deploying inhouse Android applications to KNOX 2 containers For devices with KNOX version 2 containers, you can specify whether an inhouse Android application is installed inside the KNOX mode container or in personal mode. (This feature is not available for applications downloaded from Google Play.) You specify the installation destination when you configure the application. You have the following options: Install in the KNOX container based on Enable KNOX container policy setting. Select Deploy to KNOX container if the Enable KNOX Container policy is applied, otherwise deploy to device to install the application in the container but only if container creation is enabled. Otherwise, install the application in personal mode. (See Enabling the device to allow users to create an enterprise container on page 35 to see how you set this policy.) Note If the Enable KNOX Container policy is set but the user has not yet created the container, the application is not installed in personal mode. Instead, application installation is deferred until the container is created. Install in the KNOX mode container. Select Install to KNOX container only to install the application in the KNOX 2 container only. If the user has not yet created the container, the application is not installed in personal mode. Instead, application installation is deferred until the container is created. Install in personal mode. Select Install to Device only to install the application in personal mode only. Introduction to application management 24

25 If the license expires, the applications remain installed in the container, however the container is not accessible by the user. You can continue to deploy mobile applications to a device with an expired license, however, an error message indicates that the action cannot be completed until the proper license is installed. Deploying wrapped mobile applications to KNOX version 1 containers Deploying mobile applications to devices that have a KNOX version 1 container there are some procedural differences for the application developer and identity platform administrator: For the application developer: Before the user can install an Android application in a Samsung KNOX version 1 container, the application must be rebuilt by Samsung in a process referred to as app wrapping. In order for a mobile application to use single sign-on (SSO) inside of a Samsung KNOX container, the mobile application vendor uses the Centrify for Samsung Mobile Authentication Service (MAS) SDK to enable their mobile application for SSO. For the identity platform administrator: You cannot deploy an application from Google Play to a KNOX version 1 container unless it has been wrapped. When deploying a Samsung KNOX wrapped mobile application, use the Android InHouse application template in the Apps catalog in Admin Portal. When deploying a Samsung KNOX wrapped mobile application that is also configured for SSO, you must also deploy a corresponding SAML web application to the same set of users. For every mobile application that uses the SSO capability, you must add the package name to the Application SSO whitelist policy (see Adding mobile applications that use SSO to the Application SSO whitelist on page 41). You get the package name from the application developer. Note Mobile applications that use the SSO capability that you deploy from Admin Portal and the user installs from the Centrify applicationon their device do not need to be added to the Application SSO whitelist policy. Use the following procedure to deploy a wrapped mobile application to devices with a Samsung KNOX version 1 container. If your mobile application was developed to Applications User Guide 25

26 use Samsung KNOX SSO go to How to configure mobile applications that use KNOX SSO for additional deployment instructions. To learn about application wrapping see How developers prepare a mobile application for use in Samsung KNOX version 1 containers. To deploy a wrapped mobile application to a KNOX version 1 container: 1. Open Admin Portal and select the Apps page. 2. Click Add Mobile Apps. 3. Click Add Custom App. 4. Select Android InHouse and click Add. 5. Click Yes to confirm. 6. Click Close to exit. The Android InHouse application configuration page is opened. Note KNOX installation options (see Deploying inhouse Android applications to KNOX 2 containers) is not available for wrapped applications. 7. Click Application Help underneath the application name. Use the instructions to configure the Application Settings and Description pages. 8. Click User Access and select all of the roles that should get this application. If you select Automatic Install (the default), the Centrify application automatically installs the wrapped application in the container. If you instead select Optional Install, the user must open the Centrify application and install the application manually. 9. Click Save. How to configure mobile applications that use KNOX SSO Mobile applications that use the KNOX SSO service to ask for a SAML token from inside of a Samsung KNOX version 1 or version 2 container must have a paired web SAML application deployed from Admin Portal to authenticate the user. SAML provides a token-based method for single sign-on, and the paired web application provides the Centrify Identity Platform connection to acquire the token. Note The Centrify for KNOX application uses a SAML token for single sign-on, however, it is an exception to this rule. It does not need a paired web SAML application. Deploying a mobile application that uses a SAML token to provide SSO: Introduction to application management 26

27 1. In Admin Portal, deploy the wrapped application as described in Deploying wrapped mobile applications to KNOX version 1 containers. 2. Using either Admin Portal or the Active Directory Group Policy Management Editor, add the application s package name to the Application SSO whitelist policy see Adding mobile applications that use SSO to the Application SSO whitelist. 3. In Admin Portal, add, configure, and deploy a generic web SAML application for mobile application. You must deploy a SAML web application for every mobile application that uses Samsung KNOX SSO installed in the KNOX container. This includes all of the mobile applications you deploy and all mobile applications that use KNOX SSO the user installs from the Samsung KNOX Apps store. Depending upon the application, one of the following scenarios applies: Deploy the SAML application in the Add App catalog in Admin Portal that is preconfigured for Samsung KNOX SSO. Deploy the SAML application in the Add App catalog in Admin Portal that you can configure for use with Samsung KNOX SSO. For example, Box, Dropbox, and so forth. If your SAML application isn t already in the Add App catalog in Admin Portal, deploy and configure a generic SAML application profile. The mobile application developer provides the configuration parameters for the SAML application profile. The following conditions apply to the web SAML application: The App ID has to be the same as the text string that is specified as the target in the getsecuritytoken(target) code of the wrapped mobile application. There can only be one SAML application deployed using the name used by the wrapped mobile application. For example, you cannot have two Box SAML applications configured. Note If your mobile application doesn t yet support SAML, have your mobile application vendor contact Centrify to assist in getting SAML support. You can still deploy the mobile application into the Samsung KNOX container, however, users will have to enter their credential every time they open the application. 4. In the User Access tab of the Application Settings dialog box, assign the web SAML application to the same roles to which you assigned the mobile applications. (See How to specify user application login settings.) The identity platform deploys the web SAML application to the role members. This web SAML application does not, however, appear in Centrify for KNOX. Applications User Guide 27

28 How developers prepare a mobile application for use in Samsung KNOX version 1 containers Mobile applications must be customized in a process called app wrapping before you can install them in the Samsung KNOX version 1 container. The customization consists of the following broad steps: 1. Configure for SSO (optional). The mobile application developer uses the Centrify for Samsung Mobile Authentication Service (MAS) SDK to enable the mobile application for single sign-on. Not all applications are appropriate for SSO; for example, you don t need SSO for an application that doesn t require a login (such as a clock, for example). In addition to providing the APK file you need the following information from the application developer to deploy a generic SAML web application for the mobile application. (See How to configure mobile applications that use KNOX SSO for deploying applications that use the KNOX SSO capability.) The text string that is specified as the target in the getsecuritytoken (target) code of the mobile wrapped application. This text string must match the App ID in the Admin Portal application settings. The application package name.you ll use the application package name if you need to add the application to Samsung KNOX SSO whitelist. 2. Wrap the application s APK file. The mobile application developer produces the binary APK file. However, the APK file must be wrapped before it can be installed in the Samsung KNOX container. Wrapping is an automated service that unpacks the application's original APK file, extracts the certificate, and repackages the application into a new APK package with a digital signature and KNOX container specific certificate. The service also provides QA testing to confirm device compatibility and inspects for malware and risk behaviors. 3. Distribute the wrapped binary. You can use Admin Portal to distribute the wrapped application. the Centrify application automatically determines if the application is wrapped and installs it inside the KNOX container, not outside with the other Android applications. Introduction to application management 28

29 Map user accounts On the Account Mapping page, configure how the login information is mapped to the application s user accounts. Depending on the type of application that you select, the options that you see might be different than those shown here. Directory Service Field: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userprincipalname or a similar field from the Centrify Directory. All users share one name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account. Applications User Guide 29

30 Prompt for user name: Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The Centrify Directory Service stores the user name and password so that the next time the user launches the application, the Centrify Directory Service logs in the user automatically. Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script: LoginUser.Username = LoginUser.Get('mail')+'.ad'; The script sets the login user name to the user s mail attribute value in Active Directory and adds.ad at the end. For example, if the user s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting. Introduction to application management 30

31 Choose a certificate file On the Application Settings page you can select a certificate provided by the Centrify Identity Platform or you can upload your own certificate to establish secure SSO authentication between the Centrify Identity Platform and the web application. Most applications can be configured using the default tenant signing certificate, but if you want to use your own certificate, you can choose -Upload New Signing Certificate- from the Security Certificate drop down menu. Note Be sure to use a matching certificate both in the application settings in the Admin Portal and in the application itself. Note In most cases the SignatureMethod Algorithm in the certificate matches the DigestMethod Algorithm in the SAML assertion; however, some applications might require a different DigestMethod Algorithm. In those cases, you can use the setdigestmethodalgorith method in the SAML assertion script to manually set the DigestMethodAlgorithm. To select a signing certificate for an application 1Click Application Settings in the Admin Portal. 2Select one of the following Security Certificate options: Default Tenant Application Certificate (default) Select this option to use the Centrify Identity Platform standard certificate. This is the default setting. Applications User Guide 31

32 Click Download to save the certificate so you can use it during the application configuration process. If you replace the certificate, be sure to update the application with the new certificate information. Note: Any certificates uploaded to the Centrify Identity Services tenant from the Settings > Authentication > Platform > Signing Certificates are also shown in the drop down list. You can choose from any of those certificates as well. For more information on uploading certificates to be part of the standard set of available certificates, see How to manage tenant signing certificates. -Upload New Signing Certificate- 3Click Save. Select this option to upload your organization s own certificate. To use your own certificate, you must enter a name and a password (if the file requires a password) and then click Browse to upload an archive file (.p12 or.pfx extension) that contains the certificate along with its private key. Once uploaded, this certificate will also be listed in the list of certificates in Settings > Authentication > Platform > Signing Certificates and therefore available to all application deployments in the future. Upload the certificate from your local storage prior to downloading any IdP metadata. If the IdP metadata is available from a URL, be sure to upload the certificate prior to providing the URL to your service provider. Introduction to application management 32

33 Optional configuration settings The following settings offer additional functionality and control, but do not need to be completed in order to deploy an application. Enabling derived credentials 33 Specifying the Application ID 33 Displaying the application in the user app list 34 Changing the app name, description, or logo 34 Enabling derived credentials On the Trust page, click On enrolled mobile devices, open this application in the built-in browser (required for derived credentials) to use derived credentials on enrolled mobile devices to authenticate with this application. Derived credentials allow mobile devices to be used for secure mobile access to applications, websites and services that require smart card authentication. If it is enabled on your system you can configure the application so that it requires derived credentials to access the application. For more information, see Derived Credentials. Specifying the Application ID On the Trust page, you can configure an Application ID for mobile applications that use the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The Centrify Identity Platform uses the Application ID to provide single sign-on to mobile applications. Note the following: Applications User Guide 33

34 The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field. There can only be one SAML application deployed with the name used by the mobile application. The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Displaying the application in the user app list On the Settings page, you can select Show in User app list to display this web application in the user portal. (By default, this option is selected.) If this web application is only needed in order to provide SAML for a corresponding mobile application, deselect this option and the web application won t display in the user portal. Changing the app name, description, or logo On the Settings page, you have the option to modify settings to change how and where applications are displayed in the Admin Portal Apps page and in the Centrify User Portal. To optionally change the app name, description, or logo 1Click Settingsin the Admin Portal. 2Enter the new name in the Application Name field to change how the application name is displayed in the Admin Portal Apps page and in the Centrify User Portal. Note For some applications, the name cannot be modified. 3Enter the new description in the Application Description field to change the default application description displayed in the Admin Portal Apps page and in the Centrify User Portal. 4Enter the new category tag in the Category field, to override the default category that the application is grouped into the Centrify User Portal. Introduction to application management 34

35 5Click Select Logo and upload a new logo file and change the default logo for the application displayed in the Admin Portal Apps page and in the Centrify User Portal. 6Click Save. Applications User Guide 35

36 Specifying additional authentication control On the Policy page, can specify additional authentication controls for an application by defining rules and the order in which the rules are applied. You can also include JavaScript to identify specific circumstances (log ins from outside corporate IP ranges) when you want to block an application or you want to require additional authentication methods. For details, see Application access policies with JavaScript. To define a rule that specifies additional authentication control 1Click Policy in Admin Portal. Introduction to application management 36

37 2Click Add Rule. The Authentication Rule window displays. 3Click Add Filter in the Authentication Rule window. 4Define the filter and condition using the drop-down boxes. For example, you can create a rule that requires a specific authentication method when users access the Centrify Identity Platform from an IP address that is outside of your corporate IP range. Supported filters are: Filter IP Address Description The authentication factor is the computer s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range. The authentication factor is the cookie that is embedded in the current browser by the identity platform after the user has successfully logged in. Applications User Guide 37

38 Filter Day of Week Date Date Range Time Range Device OS Browser Country Description The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in. The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement. The authentication factor is a specific date range. The authentication factor is a specific time range in hours and minutes. The authentication factor is the device operating system. The authentication factor is the browser used for opening the Centrify Identity Services user portal. The authentication factor is the country based on the IP address of the user computer. The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to Centrify Identity Services from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Centrify Identity Services support. The supported risk levels are: Non Detected -- No abnormal activities are detected. Risk Level Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup. Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup. High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced. Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has Introduction to application management 38

39 Filter Managed Devices Description been in the system) have been collected. The authentication factor is the designation of the device as managed or not. A device is considered managed if it is managed by Centrify Identity Services, or if it has a trusted certificate authority (CA has been uploaded to tenant). For the Day/Date/Time related conditions, you can choose between the user s local time and Universal Time Coordinated (UTC) time. 5Click the Add button associated with the filter and condition. 6Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down. The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Creating authentication profiles. 7Click OK. 8(Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions. Note If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down, users will not be able to log in to the service. 9(Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied. 10Click Save. To specify a corporate IP range 1Click Settings > Network > Corporate IP Range, then click Add and enter one or more IP addresses or ranges. Applications User Guide 39

40 Note If you left the Apps section of Admin Portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in Admin Portal. Introduction to application management 40

41 Configuring Single Logout If your service provider supports single logout ("SLO"), you can configure the application so that when your users log out of the application, they are also logged out of the Centrify user portal. To configure SLO, enter the Single Logout URL provided by your service provider on the Trust page under Service Provider Configuration > Manual Configuration > Single Logout URL. With SLO configured, signing out of the application sends a logout request to the identity platform at the Identity Provider Logout URL (an automatically generated URL). The identity platform validates the request and returns a logout response to the service provider at the Single Logout URL. Applications User Guide 41

42 Enable the WS-Trust protocol WS-Trust is an authentication protocol used by Microsoft thick clients when ADAL is not enabled. Browser based scenarios use other protocols such as WS-Fed or OpenID Connect. WS-Trust is enabled by default, though you can disable it with application policies if you do not want to use it. If you have not enabled ADAL and you are using the WS-Trust protocol, application challenges are enforced by default. Note that some application challenges might not be supported by WS-Trust. To toggle the WS-Trust protocol 1. Login to the Admin Portal. 2. Click Core Services > Policies > and select the policy you want to edit or click Add Policy Set to create a new one. 3. Click Application Policies > User Settings. 4. Select Yes or No from the Enable WS-Trust protocol drop-down list. WS-Trust is enabled by default. Applications using the WS-Trust protocol include Office 365 and Dynamics CRM. 5. (Optional) If WS-Trust is enabled, select the option Enforce application challenge with WS-Trust if you want to strictly enforce application policies, regardless of whether they are compatible with the WS-Trust protocol. Introduction to application management 42

43 6. Click Save. For example, multi-factor authentication is not supported by the WS-Trust protocol. If you enforce application challenges with WS-Trust, you could have failed authentications with applications using the WS-Trust protocol. Application challenges are enforced by default. Configure the SAML attributes On the SAML Response page, use the Attributes section to configure SAML attributes that should be included in the SAML response for this application. To add an attribute 1. Click Add. 2. In the Attribute Name field, enter the attribute name as required by the Service Provider. For example: 3. In the Attribute Value field, click the drop-down menu and the applicable value for the attribute name. For example: LoginUser. Click the drop-down menu again and select from the popup menu to obtain LoginUser Repeat the previous steps as necessary to add additional attributes. 5. If the drop-down menu items do not list the attribute that you want, click the input field and enter the value manually. Applications User Guide 43

44 For example, if you want an Active Directory attribute such as custom_ad_ attr, enter LoginUser.Get('custom_ad_attr'). If you want a hardcoded string value, enter the value enclosed in single quotes such as 'hardcoded_string_value'. 6. Click Save. Note The attributes that you configure in the Attributes section are separate from those that you configure in the Custom Logic section. Both attribute entries appear in the SAML Response. Editing the assertion script If you use either the Advanced page or the SAML Response page, you have the option to edit the script that generates the assertion, if needed. In most cases, you don t need to edit this script. For more information on editing the SAML Response, see SAML application scripting. For details on editing the assertion for user password applications, see User-password application scripting. Adding and deleting linked applications If your app supports linked applications, you can use the Linked Applications page to add and configure links to other applications. Linked applications inherit user access information from their parent application. You can delete linked applications either from the Linked Applications page of their parent app, or directly from the list of apps in the Admin Portal. Introduction to application management 44

45 To add a linked application 1Click Linked Applications in the Admin Portal for your app. 2Click Add. If the parent app has pre-formatted linked apps, you will see a list of apps to choose from. For example: If the parent app does not have pre-formatted linked apps, you will see the fields you need to fill in to add a linked application. For example: Applications User Guide 45

46 3Do one of the following: If you see a list of pre-formatted linked apps, select an app to add. If you see fields to complete, enter an Application Name and URL, and (optionally) enter an Application Description. 4Click Finish. 5Click Save. 6Click on the app you just added in the list of Linked Applications. A new tab opens in your browser and navigates to the Application Settings page for your new linked app. 7Review the settings for the app. You can keep all the default settings for the app, or you can: Change any of the fields on the Description tab. See Changing the app name, description, or logo for more information. Deselect Inherit Access Roles from Parent on the User Access tab and then select only the roles you want. See Deploying applications for more information. Change the URL for any app that you previously specified the URL for. Note: you cannot change the URL for pre-formatted apps (any app you selected from a list). Introduction to application management 46

47 To delete linked applications: 1Click the Linked Applications tab on the parent of the app you want to delete. 2Select the app you want to delete from the list. 3Click Actions, then click Delete. 4Click Save. Note This deletes the app, not just the link between apps. Accessing applications outside the network On the App Gateway page in Admin Portal, you have the option to configure secure access to on-premise applications outside of your corporate network without using a VPN connection. Click App Gatewayand see Configuring App Gateway for detailed configuration instructions. Note The App Gateway feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. Please contact your Centrify representative to have the feature enabled for your account. Setting up a request and approval workflow On the Workflow page you have the option to set up a request and approval workflow for an application. See Configuring Workflow for more information. Note The Workflow feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. Please contact your Centrify representative to have the feature enabled for your account. Viewing a log of recent changes On the Changelog page, you have the option to see recent changes that have been made to the application settings, by date, user, and the type of change that was made. Applications User Guide 47

48 Introduction to application management 48

49 Mobile-only application configuration settings This section describes the settings that only need to be completed for applications that are available on mobile devices. View Deployment Status On the Deployment Status page you can view the status of this application on enrolled devices. You can export the information to CSV and Excel. The Deployment Status page is only available in some mobile application configurations. Set application restrictions On the Restrictions page, you can configure the available restrictions for an application. Available restrictions are specific to configuring the application for the Work Profile. Not all applications have restrictions. If you cannot add restrictions, it means that the application does not have any restrictions. The Restrictions page is only available in some mobile application configurations. Troubleshooting mobile SSO and ZSO issues The following troubleshooting issues are related to mobile application single signon (SSO) or zero sign-on (ZSO). Applications User Guide 49

50 ZSO does not work for some SAML applications when accessed from an enrolled ios device SSO has been configured properly but some SAML applications still require user credentials for access on an enrolled ios device. Cause The application you are trying to open has been configured to use Safari, but the application developer did not use the SF Safari View Controller or Custom Chrome Tabs browser object during development. These browser objects are needed for zero sign-on. Dropbox and Slack are two applications that use the SF Safari View Controller browser object. When zero sign-on is successful for a Safari launched application on an enrolled ios device, you can identify that it is using Safari as its built-in browser when there is a Share button and Safari logo in the lower left corner. Workaround At the application log in screen, after you enter your address, you can select Keep me signed in to remain signed in during that session. Resolution Centrify Identity Services cannot enforce the use of the SF Safari View Controller browser object during application development. Please contact the third-party Introduction to application management 50

51 application company and inquire about future plans for using the browser object in their applications. Applications User Guide 51

52 Integrating with cloud access security brokers (CASBs) Centrify partners with CASBs to provide the first critical steps in enabling secure SaaS applications. By driving the authentication process through Centrify, CASBs utilize the necessary information about users, their devices, and their location to manage access to and monitor user activity within apps. Centrify Admin Portal integrates with CASBs by passing the SAML assertion for a supported application to a CASB proxy, instead of directly to the service provider. The CASB then passes the SAML assertion on to the service provider. Application support for CASB integration depends on your CASB provider. Contact your CASB provider for more information. To direct a SAML assertion to a proxy 1Open the Advanced page for the application that you want the SAML assertion to point to a CASB proxy. For more information, refer to the application configuration help specific to the that application. 2Add the following line to the end of the advanced script. Refer to Writing a custom SAML script for more information about writing advanced scripts. sethttpdestination( CASBProxyURI ); CASBProxyURI is the proxy URI provided by the CASB. It must be an absolute URI. Note This line must be at the end of the script to prevent conflicts with other elements of the script. 3Click Save. Introduction to application management 52

53 Adding and deploying mobile applications using Admin Portal This section describes adding and deploying mobile applications by using Admin Portal from the conceptual level. See Application Configuration Help for more information about adding and deploying mobile applications. The Centrify Identity Services supports the following device operating systems: Android ios OS X The mobile applications you add are displayed on the Admin Portal Apps page. You deploy native device mobile applications to sets of users based on their roles. In addition, the mobile applications that users have installed on their devices are listed in the Installed Applications list when you open the device details page. For Android devices, you can deploy any free application from Google play or an Android application for which you have the binary (.APK) file. Note If you are deploying applications to Samsung Workspace devices with KNOX mode version 1 containers, the application must be wrapped to be installed in the container. For ios devices, you can deploy any free application from the Apple App Store or an ios application for which you have the binary the.ipa file. See Adding and deploying mobile applications using Admin Portal for the details. If you have the binary file, you can use the Custom option in Admin Portal to add the mobile application. Applications User Guide 53

54 Automatic versus optional installation When you select role for application deployment, you can select either Automatic or Optional installation. Automatic versus optional application installation is handled differently on Android, ios, and OS X devices. Installing mobile applications on Android devices On Android devices, only custom applications that you set for automatic installation are installed automatically on the devices. Play Store applications that you set for automatic installation are listed on the Centrify application Apps screen under the Recommended banner. The optional applications are listed under Optional. Users must manually install all the deployed Play Store applications. Newly deployed applications have a New button indication. On Samsung KNOX Workspace devices, the custom applications set for automatic installation are installed automatically. However, if the application is configured for installation in the KNOX mode container, it is not installed until the user creates the container. Users must manually install all Play Store applications, even the ones that you have set for automatic installation. On Android for Work devices, Play Store applications that you set for automatic installation are automatically installed on to the device. In-house Android applications are not supported with Android for Work. On all devices, optional applications are displayed with a New button and are not installed until the user taps New. After the application is installed, its icon is also displayed in the device s App application. Installing mobile applications on ios devices On ios devices, mobile applications configured for automatic installation are not installed automatically. Instead, the user is prompted to install each application you deploy. The prompt is displayed right after the user enrolls the device or within ten minutes after you deploy the application from Admin Portal. The dialog box indicates the server and the application name. The user taps Install to proceed with the installation. The application is displayed on the home screen after installation. Introduction to application management 54

55 Users can select Cancel to prevent installation. When users select Cancel, they are prompted the next time they open the device to install the application. If they select cancel again, they are not prompted anymore. They can, however, still install the application by opening the Company Apps web clip. Company Apps is a web clip that is installed automatically when the device is enrolled. When the user opens the web clip, the screen lists the automatic and optional mobile applications deployed to this user. The user can then click the application icon for a short description and choose which applications to install. Installing mobile applications on OS X devices Mobile applications are deployed through the Munki Managed Software Center, which is installed on a user s device during enrollment through the Agent for Mac. Mobile applications configured for automatic installation are installed when users click Update in the Munki Managed Software Center. The Managed Software Center checks for updates every hour. Mobile applications configured for optional installation appear in the Managed Software Center s Software page. They can be installed or removed at the user s convenience. Applications User Guide 55

56 Note Mobile applications can also be deployed through the Company Apps store; however, this method of deploying mobile applications is deprecated in favor of the Managed Software Center. Mobile applications configured for automatic installation are installed the first time a user signs in to the Company Apps store, which is available in the Launchpad after enrolling with the Agent for Mac. These applications appear in the Company Apps store as Required applications. Note Mobile applications configured for optional installation appear in the Company Apps as Optional, and can be installed at the user s convenience by clicking Install. Removing a mobile application If you don t want to deploy a mobile application any more, you have two options: You can just reset the role setting in the application s User Access setting. This leaves the application listing on the Apps page. The status is changed to Ready to Deploy when it is not assigned to any roles. You can delete the application from the Apps page. This removes the application from all roles. After you stop deploying a mobile application, it is no longer listed in the Centrify application on Android devices and Company Apps webclip on ios devices. However, if the user has already installed the application, it remains installed on the device. For example, the user can still open the application from the device s Apps catalog. Removing the application from the device can only be done by the user. Note The same is true when a device is unenrolled from the identity platform. That is, any application installed from the Mobile Apps screen remain installed after the device is unenrolled. Introduction to application management 56

57 The Centrify browser extension The Centrify Browser Extension provides a method of adding user-password and other custom applications. The Centrify Identity Services browser extension is a free add-on that s required for single sign-on (SSO) to some web-based applications. Users will be prompted to install this extension if required by any of the applications which have the jigsaw puzzle icon in User Portal. Refer to the following topics for more information about the browser extension. Applications User Guide 57

58 Adding web applications by using Centrify Identity Services Infinite Apps Infinite Apps is a feature of the Centrify Browser Extension that simplifies adding a SaaS user-password application that is not in the Centrify Identity Services App Catalog. Infinite Apps provides the App Capture utility, which automatically discovers the user name and password fields on the web application log in page and adds the application to your portal Apps page. After you add the application, you can deploy it with single sign-on to user portals and devices. If the App Capture utility cannot discover the user name and password fields, it allows you to select them manually. By default, users can also use the browser extension to add applications to their user portal Apps page and devices. You can configure this setting using the Allow users to add personal apps policy (see Managing device configuration policies). This section contains the following topics: Installing Centrify Identity Services Infinite Apps Adding a web application by using App Capture Manually adding an application by using App Capture Introduction to application management 58

59 Installing Centrify Identity Services Infinite Apps To use the Infinite Apps feature, you must install another version of the Centrify Browser Extension in a Firefox browser. Infinite Apps only supports Firefox and the privacy setting must be configured for Remember History. After the application is captured, users can use any browser to open it from the user portal. After you add the extension, the App Capture utility is available from the drop-down menu when you click the Centrify Browser Extension icon in the toolbar. Go to Adding a web application by using App Capture to add an application. To install the Centrify Browser Extension with Infinite Apps: 1. If Firefox is not installed on your computer, install and open it. 2. Log in to Admin Portal using your system admin account. 3. In the user name drop down menu, click Downloads. 4. Click the link for the Firefox browser. 5. In the pop-up window, click Allow. The browser displays a dialog box for installing the browser extension. 6. Click Install Now. A dialog box appears for restarting the browser. 7. Click Restart Now to restart the browser and finish installation. After the browser restarts, the Centrify Browser Extension icon is added to the toolbar. If not, right-click the toolbar, select Customize, and drag the icon to the toolbar. Note If you are unable to log in, verify that the URL is correct it should match the one that you use to log in to Admin Portal generally, If the URL does not match the one that you use to log in, go to the next section: Configuring Centrify Browser Extension to point to the Centrify Identity Platform to set up Centrify Browser Extension to work with your identity platform account. Applications User Guide 59

60 Configuring Centrify Browser Extension to point to the Centrify Identity Platform Skip this procedure if the URL for the Centrify user portal or Admin Portal begins with and go directly to Adding a web application by using App Capture. Most users will not need to configure the browser extension to point to the identity platform. The browser extension is configured to work with the default Centrify identity platform URL If your organization uses a different URL (for example, for a private identity platform or a test deployment), complete the steps in the following procedure to configure the browser extension to use the correct URL. To configure Centrify Browser Extension to work with a different URL: 1Open a browser window and type the following in the address box and click Return: about:config A warning box appears. 2Click Return. A list of application settings appears. 3Type centrify in the search box to find the Centrify extension settings. 4Double-click the following setting to see its value: extensions.centrify.portalhostname The value for this setting should be that of the identity platform, ordinarily this is cloud.centrify.com. 5If the value is something different, or if you are using a test version of the identity platform that uses a different URL, type the correct value and click OK. 6Restart your browser to effect the new URL. Introduction to application management 60

61 Adding a web application by using App Capture The App Capture utility is designed to discover the login user name and password fields in the login page automatically. If it can t find them, it gives you the option to select them manually. In addition, it lets you select a third field for applications that require another log in identifier, for example, a company ID. Note The App Capture utility cannot capture apps that use iframes. To add an application by using App Capture: 1. Open Firefox and go to the sign-in page for the application that you want to add. 2. Click the Centrify Browser Extension icon in the toolbar. If the browser extension icon is gray, then you need to log in to the Centrify Identity Services (user portal or Admin Portal) before continuing. 3. Click Capture. App Capture displays a pop up window that guides you through the capture process. After you click Capture, App Capture attempts to discover the user name and password fields in the login page. If it is successful, it displays the message and highlights the user name and password fields. If App Capture is not successful or selects the wrong fields, you need to set the fields manually. Click Set Manually and go to Manually adding an application by using App Capture to capture this application. 4. Determine how the login credentials are submitted. If App Capture selected the user name and login fields correctly, you need to capture how users submit their credentials for this web site. App Capture supports two cases: Users press the Enter key (on the keyboard) to submit their credentials. Applications User Guide 61

62 For example, after entering the user name and password, the user clicks the Enter key to submit their credentials to this web site. If this is how users submit their credentials, click Next. Users click a separate log in or sign in button to submit their credentials. If the application has a separate button, such as Sign me in in the picture, it may require the user to click the button. In this case, you need to capture the application manually. Click Set Manually and go to Manually adding an application by using App Capture) to complete capturing this application. If you are not sure which method the application requires, selecting the Enter key is the easier procedure for capturing the application and more reliable than trying to capture the submit button. After you assign the application, try opening it from the user portal. If single sign-on is not automated the next time you log in after you have provided your credentials, you will need to recapture the application using the manual method. 5. Add an additional field, if necessary. Some web applications have a third login field that requires the user to provide additional login information for example, a corporate ID. If this web site does require an additional field, click Yes and then Next. Then click the additional field in the application s login screen. App Capture highlights your selection and the pop-up window prompts you for the next entry. Note You enter the value you want to put in this field (for example, your organization s ID number for this application) in the Advanced page when you open the application details in Admin Portal. See the Advanced page description in Configuring applications for the details. 6. (optional) Modify the application properties -- application name, description, and icon. 7. Click Finish to proceed. 8. Select where to add the application -- user portal or Admin Portal. Adding the application to the user portal is for your use only. Adding the application to Admin Portal allows you to assign it to other users. The Admin Portal option is only available if you are in a role that has the Application Management right. 9. Click Submit. Introduction to application management 62

63 You can now assign this application to users. See Deploying applications to users on page 5. Applications User Guide 63

64 Manually adding an application by using App Capture If you opened the application and App Capture did not find the user name and password fields or selected the wrong fields, use the following procedure to identify them. In addition, you must use this procedure to add the application if you want to use a Submit button rather than use the Enter key to proceed with the sign-in. Note The App Capture utility cannot capture apps that use iframes. To set fields manually while adding an application: 1Open Firefox and go to the sign-in page for the application that you want to add. 2Click the Centrify Browser Extension icon and click Capture from the drop-down menu. App Capture displays a pop up window that guides you through the capture process. 3Click Set Manually. 4Click the <app name> Name field to identify this application s username field. For example, click the Skype Name field for Skype: App Capture tags Skype Name as the Username field and prompts you to select the Password field. 5Click the Password field to identify this application s password field. 6Select an additional login field. Introduction to application management 64

65 Some web applications have a third login field that requires the user to provide additional login information for example, a corporate ID. If this web site does require an additional field, click Yes and then Next. Then click the additional field in the application s login screen. App Capture highlights your selection and the pop-up window prompts you for the next entry. Note You enter the value you want to put in this field (for example, your organization s ID number for this application) in the Advanced page when you open the application details in Admin Portal. See the Advanced page description in Configuring applications for the details. 7Determine how the log in credentials are submitted. After they enter their credentials, users either press the Enter key (on the keyboard) or click a button to submit their credentials. Use keyboard Enter key event (Recommended): Select this option when users press the Enter key (on the keyboard) to submit their credentials. Capturing the Enter key is more reliable than trying to capture a sign-in button. Click Next to continue. Right-click the Sign in button on the Web page to capture it: Select this option when the user must click a separate login or sign-in button to submit their credentials to this web site. After you select this option, right-click the login/sign-in button on the Web page to capture it, then click Next to continue. This option is useful if you capture using the Enter key option and deploy the application, but your users are unable to log in. Often times, recapturing the application and selecting the sign-in button option corrects the problem. 8(Optional) Modify the application properties -- application name, description, and icon. 9Click Finish 10Select where to add the application -- user portal or Admin Portal. Adding the application to the user portal is for your use only. Adding the application to Admin Portal allows you to assign it to other users. The Admin Portal option is only available if you are in a role that has the Application Management right. 11Click Submit to add the application to the selected portal. Applications User Guide 65

66 12Click Close when the confirmation message appears. Continue with Configuring applications if you want to assign the application to other users. Introduction to application management 66

67 How to install the Centrify Identity Services Browser Extension This scenario is intended to guide system administrators through the procedures for installing the Centrify Browser Extension. Some web applications require installation of the Centrify Browser Extension to provide single sign-on. Without the browser extension, users will not be able to open these applications. You only need to install the browser extension one time per browser type. You can send the link for installing the browser extension directly to users -- When users click the link, the installer identifies the user s default browser and installs the corresponding extension. The link and the browser extension files for Chrome, Firefox, Safari, and Internet Explorer are also available in the Downloads item in the account name drop down menu in Admin Portal. Note You can only update the browser extension; reverting to previous versions is not supported. Applications User Guide 67

68 The browser extension is not required on mobile devices. The Centrify application and Centrify for KNOX both incorporate an internal browser that provides single sign-on. When device users open an application that requires the browser extension, the application is automatically opened in the internal browser. Browser extension dependent applications have the jigsaw puzzle symbol on the Apps page in the Centrify Identity Services user portal. After the browser extension is installed, the jigsaw symbol disappears. You can install the browser extension for Internet Explorer (IE) browsers on remote Windows computers or users can install it themselves. This scenario includes the following topics: Installing the Centrify browser extension for IE on remote Windows computers Options for user self installation Restricting Centrify Browser Extension updates Possible next steps Introduction to application management 68

69 Installing the Centrify browser extension for IE on remote Windows computers You can automate the installation of the Centrify Browser Extension(Internet Explorer version) onto remote Windows computers using a silent installation or using a Windows Group Policy Object (GPO). To deploy the browser extension on remote Windows computers using a silent unattended installation or using a GPO, you need to specify the appropriate command line options and Microsoft Windows Installer (MSI) file. You can also use a software distribution product, such as Microsoft System Center Configuration Manager (SCCM), to deploy software packages. An automated installation may fail if remote computers do not have the appropriate configuration. If you are installing silently or from a GPO, verify that the remote Windows computers meet the requirements described in Installing the browser extension for IE on remote Windows computers. To install the Centrify Browser Extension for Windows silently: 1Open a Command Prompt window or prepare a software distribution package for deployment on remote computers. For information on preparing to deploy software on remote computers, see the documentation for the specific software distribution product you are using. For example, if you are using Microsoft System Center Configuration Manager (SCCM), see the Configuration Manager documentation. 2Run the installer for the browser extension package for a 32-bit or 64-bit architecture. Applications User Guide 69

70 Note If the system has a 64-bit operating system, use the 64-bit package, CentrifyIEExtensionSetup(x64).msi. CentrifyIEExtensionSetup(x64).msi includes the binary for both 32-bit and 64-bit versions of Internet Explorer. For example, on 32-bit operating systems, run the following command: msiexec /qn /i "CentrifyIEExtensionSetup(x86).msi" On 64-bit operating systems, run the following command: msiexec /qn /i "CentrifyIEExtensionSetup(x64).msi" To install the Centrify Browser Extension from a Group Policy Object: 1. Copy the CentrifyIEExtensionSetup(x64).msi files to a shared folder on the domain controller or another location accessible from the domain controller. If you are installing on a 32-bit architecture, the installer file name is CentrifyIEExtensionSetup(x86).msi. When you select a folder for the installer file, you might want to right-click and select Share with > Specific people to verify that the folder is shared with Everyone or with appropriate users and groups. 2. On the domain controller, click Start > Administrative Tools > Group Policy Management. 3. Select the domain or organizational unit that has the Windows computers where you want to deploy the browser extension, right-click, then select Create a GPO in this domain, and Link it here. For example, you might have an organizational unit specifically for Centrify Identity Services-managed Windows computers. You can create a Group Policy Object and link it to that specific organizational unit. 4. Type a name for the new Group Policy Object, for example,centrify Identity Services Browser Extension Deployment, then click OK. 5. Right-click the new Group Policy Object, then click Edit. 6. Expand Computer Configuration > Policies > Software Settings. 7. Select Software installation, right-click, then select New > Package. 8. Navigate to the folder you selected in Step, select the.msi installation file, then click Open. 9. Select Published, then click OK. 10. Close the Group Policy Management Editor, right-click the Centrify Identity Services Browser Extension and verify Link Enabled is selected. Introduction to application management 70

71 By default, when computers in the selected domain or organizational unit receive the next group policy update or are restarted, the browser extension will be deployed and the computer will be automatically rebooted to complete the browser extension deployment. If you want to test deploy, you can open a Command Prompt window to log on to a Windows client as a domain administrator and force group policies to be updated immediately by running the following command: gpupdate /force For more information about how to configure and use Group Policy Objects, see the documentation on the Microsoft Windows website. Applications User Guide 71

72 Options for user self installation Users can install the Centrify browser extension using one of the following options: The user portal displays a banner on the Apps page above the application icons that has a link the user can click to initiate installation. The first time a user opens an application that requires the browser extension, the user portal opens a pop-up that prompts the user to initiate the installation. The systems administrator sends the link for installing the browser extension directly to users. When users click the link, the installer identifies the user s default browser and installs the corresponding extension. The link and the browser extension files for Chrome, Firefox, Safari, and Internet Explorer are provided in the Downloads page under Browser Extensions. Introduction to application management 72

73 Restricting Centrify Browser Extension updates You can control when users are prompted to update the Centrify Browser Extension so you can test and verify the latest version in your environment before making it available to your users. Note Because the Chrome Web Store can only host one version of the browser extension, preventing users from updating the Browser Extension beyond a specified version is not supported on Chrome. To restrict Centrify Browser Extension updates 1. Sign in to the Admin Portal, then click Core Services > Policies. 2. Select an existing policy set, or create a new one. Policy sets are applied to users by applying them to everybody, specified roles, or sets. 3. Select Application Policies > User Settings. 4. Set Set browser extension version (default latest version) to the release version you want to restrict your users to, then click Save. Applications User Guide 73

74 Users are only prompted to update the Centrify Browser Extension if their version is older than the version you specify in the policy. Note Installing previous versions of the browser extension is not supported. If you stop restricting users to an older version of the browser extension and permit them to install newer versions, the older version will be removed from the Set browser extension version list. Introduction to application management 74

75 Possible next steps You might be interested in the following scenarios: How to configure Mobile Device Management or single sign-on only How to enroll devices How to install a Centrify Connector How to configure Integrated Windows authentication How to configure browsers for silent authentication How to create a policy set and assign it to users How to define authentication requirements How to configure and deploy applications to users How to configure user self-service options Applications User Guide 75

76 Provisioning users You can automatically handle adding and removing user accounts in web applications by enabling them for provisioning. With provisioned applications, you don t have to manually add or change user accounts in those web applications yourself the identity platform handles this task by creating synchronization jobs to sync user account data to provisioned applications. When you run a user synchronization, the Centrify Identity Platform takes the user attribute information in the source directory and adds or updates the user account in the provisioned application. The Centrify Identity Platform automatically synchronizes user, group, contact, or resource information whenever you make changes to a role or applicable source directory object. The Centrify Identity Platform can synchronize user accounts from Active Directory, LDAP, the Centrify Directory, or any combination of those sources. Introduction to application management 76

77 Types of provisioning configuration All apps have a Provisioning tab that allows you to select Enable provisioning for this application. Some apps have specific provisioning requirements, some apps can be configured for provisioning using generic SCIM provisioning, and some apps do not support provisioning at all. Apps that have their own specific provisioning requirements are listed in the app catalog as YourAppName SAML + Provisioning. When you select the Enable provisioning for this application option for those apps, the Provisioning tab expands to show other fields used for configuring provisioning. For apps listed in the app catalog as YourAppName SAML, you will need to know whether your app supports generic SCIM provisioning. When you select Enable provisioning for this application, you will be able to go through the steps for configuring generic SCIM provisioning, but provisioning will only work in apps that support it. To remind you of this, apps listed in the app catalog as YourAppName SAML will display the following dialog box when you select the Enable provisioning for this application option: If you select Yes, the Provisioning tab will expand to show the other fields used for configuring SCIM provisioning, For more information about app-specific provisioning, see Setting up app-specific provisioning. For more information about generic SCIM provisioning, see Setting up generic SCIM provisioning. Applications User Guide 77

78 Setting up app-specific provisioning This section includes a general overview of how you set up applications to automatically handle user provisioning. For additional details, refer to the documentation for that app. What you do to set up user provisioning for applications (an overview) 1Open an application s Provisioning tab and select Enable provisioning for this application. 2Select either Preview Mode or Live Mode. Preview Mode: Use Preview Mode when you re initially testing the application provisioning or making configuration changes. When the identity platform next runs a synchronization job, it processes this application but does not save any user account changes in the application. When you re sure that the Introduction to application management 78

79 provisioning configuration is correct and the preview results match what you expect, you then enable the application for Live Mode. Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application s account information. 3Enter and verify the provisioning credentials or select authorize to connect with the application provisioning APIs. The credential values are obtained from the administrator page for each application. Each application is different, so the credentials and field values that you supply will vary. 4Add Admin Portal roles to the application, and you map those Admin Portal roles to groups, roles, or other similar items that are defined in the target web application. The connection of the Admin Portal role to the target application role (or other item) is a role mapping. Each application is different and what you can map a role to is different for each application. You specify which users have access to the application with the roles you add in the application s User Access tab. You specify what kind of access those users have in the target application by assigning roles in the application s Provisioning > Role Mappings area. Applications User Guide 79

80 5Synchronize the user accounts in your directory service with the accounts in the application. Refer to Provisioned account synchronization options for more information. Introduction to application management 80

81 Provisioned account synchronization options You can have the identity platform synchronize user accounts in a few different ways: Synchronization scope All users, all enabled applications All users, one application As needed (on demand) synchronization settings Settings > Users > Outbound Provisioning, then select All Enabled Applications and click Start Sync. Settings > Users > Outbound Provisioning, select the application and click Start Sync. Automatic synchronization settings and events Settings > Users > Outbound Provisioning > Run synchronization daily for all enabled applications. In addition to the daily synchronization job, provisioning synchronization occurs automatically whenever one of the following events occur: Add a user, group, contact, or resource Modify attributes for a user, group, contact, or resource Disable a user in the source directory (if this option is selected) Delete a user, group, contact, or resource Modify a role that s provisioned (add or remove a user or group) If Sync Daily is selected, the identity platform synchronizes user accounts for all provisioned applications for all users. Applications User Guide 81

82 Synchronization scope Single user s provisioned applications As needed (on demand) synchronization settings Core Services > Users page > Select a user > User Management > Sync All Apps (You can also right-click a user.) Automatic synchronization settings and events If Sync Daily is selected, the identity platform synchronizes user accounts for all provisioned applications for all users. The identity platform does a preview synchronization and doesn t save the changes for applications that are set to Preview Mode. For provisioning-enabled applications in Live mode, the identity platform synchronizes user accounts to the target applications and saves those changes. The identity platform generates one report that includes information on the preview and live mode applications. Note To deprovision deleted users or users in deleted objects, the connector must have permissions to read the deleted objects container in AD. Refer to Referencing accounts from Active Directory/LDAP for more information. Previewing user synchronization for an application After you enable and configure an application for provisioning, it can be helpful to preview the results from synchronizing user account data with the application. You can run a preview synchronization for a single provisioned application or for all provisioned applications. A preview synchronization runs mostly the same as a regular synchronization for example, you still get a synchronization report ed to you. The only difference is that the changes aren t actually made to the user account in the target application (such as Salesforce, Office 365, and so forth). To generate a preview synchronization report 1In Admin Portal, specify the addresses to which the identity platform sends provisioning reports. If you ve already done this, go to Previewing user synchronization for an application. ago to Settings > Users > Outbound Provisioning. bin the address for report delivery field, enter one or more addresses. Introduction to application management 82

83 Separate addresses with semicolons (;) or commas (,). You must supply at least one valid address. 2Open the provisioning-enabled application and click the Provisioning tab. 3Select Preview mode. 4In Admin Portal, go to Settings > Users > Outbound Provisioning. 5Select the desired reporting options: Option Send report on full sync Send report on individual sync Include debug trace in the report Description Select this option if you want to receive a synchronization report even if there are no errors. If you deselect this option, you receive a report only if there are synchronization errors. Select this option if you want to receive a synchronization report when you synchronize provisioned applications for a specific user. (You do this by going to the Users page, select one or more users, and then select Sync All Apps.) Also, when you ve selected this option, you also receive a synchronization report whenever a user or role is modified and triggers and automatic synchronization. You receive a separate for each affected user. If you don t select this option, you receive just the regular, consolidated synchronization reports from daily synchronizations or when you synchronize users for a specific application. Select this option if you want more detailed information in your synchronization report. The additional details are code-like and intended for debugging purposes only. 6Select either a specific provisioning-enabled application by its name or All Enabled Applications. Note Applications that you ve set to run in preview mode display in the list here with (Preview) appended to the application name. 7Click Start Sync. Applications User Guide 83

84 A message displays that prompts you for confirmation. 8Click Yes to continue. A message displays that informs you that the synchronization has begun. 9Click OK to continue. The identity platform synchronizes changes in user account information to the specified applications and s a report to you. 10Review the preview report and review the changes that would ve been made if it had been a real synchronization. Adjust an application s role mappings, if needed. Synchronizing user accounts with provisioned applications If you ve configured daily synchronization, you can synchronize users at any other time as desired and the changes since the last synchronization are updated into the identity platform and applications. Note You must have enabled at least one application for provisioning in order to be able to run a synchronization job. To synchronize user accounts for a provisioned application 1In Admin Portal, go to Settings > Users > Outbound Provisioning. Introduction to application management 84

85 2Select the desired reporting options: Option Send report on full sync Send report on individual sync Include debug trace in the report Description Select this option if you want to receive a synchronization report even if there are no errors. If you deselect this option, you receive a report only if there are synchronization errors. Select this option to receive a separate report for each user that was synchronized. If this option isn t selected, the identity platform sends you a consolidated user synchronization report. Select this option if you want more detailed information in your synchronization report. The additional details are code-like and intended for debugging purposes only. 3In the Synchronization section, select a specific provisioned application, or select All Enabled Applications. Applications User Guide 85

86 4Click Start Sync. A message displays that prompts you for confirmation. 5(Optional) If you need to re-synchronize all objects, not just the changed objects, select the option to Bypass caching and re-sync all objects. Consider this option if so many users or objects such as groups, contacts, or resources were changed in an application that manually re-syncing every object would be difficult. Bypassing caching and re-syncing all objects does take more time to complete. 6Click Yes to continue. A message displays that informs you that the synchronization has begun. 7Click OK to continue. The identity platform synchronizes changes in user account information to the specified applications and s a report to you. Running a synchronization job for a specific user account You can run a provisioning synchronization job for a single user from the user account s detail page in Admin Portal. This can be helpful when you ve just added a new user and you ve assigned the user to Admin Portal roles that are mapped to Introduction to application management 86

87 provisioned applications. When you synchronize just one user account, the identity platform updates just the applications to which the user is assigned and only updates the information for the selected user. You can perform this operation either from the Users page or from a user s details page. To synchronize users for just the applications for which the user is provisioned 1In Admin Portal, go to the Core Services > Users page. 2Select a user. 3From the pop-up menu, select User Management > Sync All Apps. A message displays that prompts you for confirmation. 4Click Yes to continue. A message displays that informs you that the synchronization has begun. 5Click OK to continue. The identity platform synchronizes changes in user account information to the specified applications and, if you ve selected the individual user sync option, s a report to you. Configuring automatic, daily user synchronization You can configure the identity platform to synchronize user accounts daily. This is the recommended approach. If you don t do a daily synchronization, you can synchronize users as needed by clicking Start Sync. After every user synchronization, the identity platform s a report to the specified addresses. Note The identity platform synchronizes user accounts daily at a random time within a selected time box. Subsequent daily synchronizations happen every 24 hours thereafter. To synchronize user accounts for a provisioned application 1In Admin Portal, go to Settings > Users > Outbound Provisioning. 2Select Run synchronization daily for all enabled applications. Applications User Guide 87

88 The Sync Start Time (UTC) drop-down menu appears. 3Select a time box from the Sync Start Time (UTC) drop-down menu. Time boxes are grouped into one hour increments, listed in both UTC and local time. You can change the preferred time box at any time. Note The Sync Start Time (UTC) drop-down menu is a required field. 4Click Save. The identity platform will synchronize users at a random time within the selected time box, then every 24 hours at approximately that same time as long as Run synchronization daily for all enabled applications is enabled. Customizing the application provisioning script Each application that you can enable for provisioning provides an Provisioning Script section in the application configuration settings. For most applications, you won t need to edit this. If needed and if you re knowledgeable about JavaScript, you can edit the provisioning script to accommodate custom deployment situations. For example, in Office 365 v2 you can edit the provisioning script to handle users whose login domain does not match the Office 365 federated domain. You can test how the script works with a sample user. The scripting interface also provides a listing of the fields available in both the source directory service, such as Active Directory or the Centrify Directory, and the target directory, such as the user accounts Salesforce or Office 365. Note Editing the provisioning script is for advanced users who understand JavaScript. If you edit the provisioning script, it s possible that the script will not function correctly and your users won t be synchronized successfully. Reviewing the job history The identity platform creates jobs automatically based on either a daily schedule or an event, or you can manually initiate different types of jobs. The most common jobs run by the identity platform are provisioning jobs. You can use the Job History to learn more about jobs processed in the last 30 days. Who requested the job. When the job started and completed. When the notification was sent. Introduction to application management 88

89 Note Jobs older than 30 days are deleted from the job history. To review the job history: 1In the Admin Portal, go to Settings > Users > Outbound Provisioning. 2Click View Synchronization Job Status and Reports. Applications User Guide 89

90 Adding and removing users to and from provisioned applications This section covers managing users for provisioned applications. Adding a new user to the system and to applications You can quickly add a new user to your directory service, and then assign the user to roles to assign the user to applications. The identity platform creates the new account in the provisioned applications automatically. The basic process of provisioning users involves adding the user in your directory service, then assign the user to roles, as needed. For each application that the user needs access to, assign the user to a role that s assigned to that application. For non-provisioned applications, you may also need to create the user account in the web application itself (each application varies). Adding an existing user to a provisioned application If you have an existing user account that you need to add to a provisioned application, simply add the user to a role that s assigned to the application. Then, do a preview synchronization to make sure that the user will be added to the application. Set the application back to live mode to ensure that the user is indeed provisioned to the application. Introduction to application management 90

91 Removing a user from an application but keeping the user in the system You can easily remove a user from an application by removing the user from the Admin Portal role that s assigned to the application. If the user is assigned to a role by way of an Active Directory group, then you ll need to remove either the group from the role assignment, or remove the user from that AD group. After you remove a user from a role that s mapped to a provisioned application, the identity platform automatically deactivates the user account in the provisioned application. To remove a user from one or more applications 1Open the Core Services > Users page, and click the user that you want to remove. The User details page opens. In this page, you can see the user account information, login and application launch activity, the user s mobile device status, all roles that the user is assigned to, and the applications that the user has been added to by way of provisioning. 2Click Provisioned Applications. The identity platform lists the applications that this user has been successfully added to by way of provisioning. Tip Make a note of the applications that the user has been provisioned for. When you re done removing the user, launch each provisioned web application and verify that the user account has been deactivated or removed in the provisioned application. 3Remove the user from each Admin Portal role to which the user is assigned. aopen the Core Services > Roles page, and click a role that the user is assigned to. bclick Members, and click Edit. cin the Edit Members dialog box, click the user in the Selected column and move the user to the Available column. dclick OK to close the Edit Members dialog box. eclick Save to save the role changes. Applications User Guide 91

92 4If the user account is in your Active Directory, remove the user from each Active Directory group that is assigned to a Admin Portal role which is assigned to the provisioned application. 5For provisioned applications that the user was assigned to, you can launch the application and view the user list to verify that the user has been set as inactive. Note Many applications will mark a removed user as inactive, instead of completely deleting the user account. 6For applications that aren t automatically provisioned, you should launch the application and mark the user account as inactive. Removing a user from an application and the system If you need to completely remove a user from the system, simply remove the user from the originating directory service (such as Active Directory or the Centrify Directory). User account synchronization tips Here are a couple other things to know: Before you can delete a provisioned application, you must first remove the role mappings. Only one synchronization process can run at a time. You specify which users have access to the application with the roles you add in the application s User Access tab. You specify what kind of access users have in the target application by assigning roles in the Provisioning > Role Mappings area. The identity platform disables the Account Mapping page for applications that are enabled for provisioning. For Office 365 v2, the Account Mapping page is not available and does not display. The User Access page is still available for provisioned applications. Introduction to application management 92

93 Setting up generic SCIM provisioning SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your the SAML apps. For more information about SCIM, see If your SAML application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL. Note Before configuring the your application for provisioning, you must: install, configure, and deploy the app give Manage Accounts and Manage Groups permissions to the app get an Access Token for the app Note The Access Token is only displayed once when you created the app and it never expires. It is important to store the Access Token in a secure location. Continue with Configuring your app in Admin Portal for automatic provisioning. Configuring your app in Admin Portal for automatic provisioning To configure your app in Admin Portal for automatic provisioning: 1Click the Provisioning tab. 2Select Enable provisioning for this application. 3Select either Preview Mode or Live Mode. Applications User Guide 93

94 Preview Mode: Use Preview Mode when you re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren t saved. Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application s account information. Note SCIM doesn't enforce any particular way to authenticate with the Application provider, but you will need to provide a SCIM URL and an access token that the application accepts. The access token and SCIM URL are generally available from the application s admin console, or by contacting support for the application. Another option is to create an access token using OAuth2.0. 4Enter the URL you want to use for the SCIM Service URL. 5Select either OAuth 2.0 or Authorization Header as your Authorization Type. OAuth 2.0 uses a workflow to authorize access and Authorization Header directly provides the credentials. Your choice of Authorization Type will determine the next few steps you will perform. Where you can find the information you provide will vary depending on the app you are configuring. If you need assistance with locating this information, contact support for the company that makes the app you are configuring. If you select OAuth 2.0, fill in these fields: Admin Portal >Provisioning Authorize URL Access Token URL Client ID Client Secret Scope What you do Copy the URL the admin will use to authorize access to the application, and paste it here. Copy the URL where the admin can get an access token for the app after authorization, and paste it here. Copy the ID generated when you create the client app entry, and paste it here. Copy the password or access token generated when you create the client app entry, and paste it here. Copy the statement of permissions to be granted to Centrify and paste it here. In order to enable provisioning, Centrify needs read and write Introduction to application management 94

95 Admin Portal >Provisioning What you do permission to users and groups. If you select Authorization Header, you have a choice of Header Type. Select Bearer Token if your app requires the header in the format: Bearer <your_access_token>. Select Basic if your app requires authentication in the format: HTTP BASIC. Select Direct if your app uses some other format. aif you select Bearer Token, fill in this field: Admin Portal >Provisioning Bearer Token What you do bif you select Basic, fill in these fields: Admin Portal >Provisioning Admin Name Admin Password What you do Copy the login name for the admin and paste it here. Copy the login password for the admin and paste it here. cif you select Direct, fill in this field: Admin Portal >Provisioning Header Value What you do Copy the exact value of the header and paste it here. The header value is usually in the form of: <Token_Type> <Actual Token> For example: Example_Token xyztoken122 For more information about other types of headers that can be used, see US/docs/Web/HTTP/Headers/Authorization Applications User Guide 95

96 6Click Verify to have the Centrify Identity Platform verify the connection and save the provisioning details. Note If you later want to make changes to any of the fields on the Provisioning page in the Admin Portal, you will have a choice of options when you Verify. You can either choose Verify Credentials, which only checks the fields above the Sync Options section. If you select Verify and re-detect settings then the entire page is refreshed, including overwriting any changes you have made to the Sync options, Deprovisioning options, and Provisioning Script. 7Continue with Provisioning users for your app based on roles. Provisioning users for your app based on roles Here you specify a Admin Portal role and specify that users in that role will be matched to existing or new accounts in your app with the groups that you specify. When you change any role mappings, the Centrify Identity Platform synchronizes any user account or role mapping changes immediately. Provisioning assigns users access and assignments based on the top-most role mapping. The order in which the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning users. For instance, if a user is in multiple roles that you ve mapped for provisioning, the Centrify Identity Platform provisions the user based on the role nearer the top of the list. For more details, see Setting up app-specific provisioning. To automatically provision users with accounts: 1First, make sure that you ve entered and verified the provisioning credentials. 2In the Provisioning page, go to the Role Mappings section. 3Click Add to open the Role Mapping dialog box. 4Select a Role. 5Click Add and select a Destination Group from the drop-down list. A Destination Group, named after the selected role, automatically populates the list of groups available from the drop-down list. If that Destination Group is selected, a group is created in the application. If the Destination Group already exists in the application, that group is used and the new group is not created. The same user members that are associated with the role, are added as members of the Destination Group. Alternatively, you can type in a new group name to map to the selected role; the newly created Destination Group is also Introduction to application management 96

97 created in the application. If the role is removed from the role mapping, the Destination Group remains in the application without any membership changes. Changing the role or role name does not affect group creation, unless the group name in the role mapping is also changed. 6(Optional) Add more Destination Groups, if desired, by repeating the previous two steps. 7Click Done to save the role mapping and return to the Provisioning page. 8Continue adding role mappings, as desired. To change a mapping, select the role mapping and click Modify from the Actions list. To remove a mapping, select the role mapping and click Delete from the Actions list. Note The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code. 9When you re done, click Save to save the provisioning details. Anytime that you make changes to the provisioning role mapping, the Centrify Identity Platform runs a synchronization automatically. You can also run a preview synchronization or a real synchronization, if desired. Provisioning Active Directory Groups If you already organized your users into AD groups, it might be more efficient to provision AD groups to the application rather than creating the groups individually in the application. Provisioning an AD group and its members to the application consists of the following two steps, which can be performed in any order. Provision AD groups to the application using the Sync groups from local directory to target application option. If there are any AD groups you wish to exclude from provisioning, you can do so with the Provisioning Script. Any members of the group that have not already been provisioned through role mapping are listed in the dirsync report. Provision members of the AD group to the application using Role Mapping. If you have Sync groups from local directory to target application enabled, the Destination Group setting in Role Mappings is ignored and the user s are provisioned into the synced AD groups. Note the following about provisioning AD groups: An address is required for the AD group. Applications User Guide 97

98 Support for provisioning nested groups depends on the service provider. If an AD group has the same name as an existing group in the application, the Centrify Identity Services recognizes the same name in the existing group during provisioning and updates it with the AD group s attributes. If you use the option to provision AD groups, the Centrify Identity Services ignores the Destination Group setting in Role Mappings. Provisioning AD groups and provisioning users to existing groups using role mapping are mutually exclusive. You can not deprovision the groups by disabling or deleting them in Active Directory. Note If you want to provision AD groups, you need to deploy a new application in the Admin Portal; the feature is not backwards compatible with previously deployed applications. To provision Active Directory Groups 1Open the SAML application in Admin Portal. 2Click the Provisioning tab. 3Select Sync groups from local directory to target application, then click Save. When you start the provisioning job, the Centrify Identity Services provisions all AD groups with an address to the application. Note This option overrides the Destination Group setting in Role Mappings. 4Add roles to Role Mappings as necessary, then click Save. Note There is no need to specify Destination Groups, since this settings is ignored in favor of AD groups when Sync groups from local directory to target application is selected. All users that belong to your AD groups should also belong to a role in Role Mappings. In addition, an address is required for all users that you want to provision. 5(Optional) Filter any AD groups that you do not want to provision using the provisioning script reject() method. Directions and an example script are provided in the Provisioning Script box. Uncomment and modify the script as necessary. 6Manually sync the AD objects. Refer to Provisioned account synchronization options for more detail. Introduction to application management 98

99 The Centrify Identity Services provisions all AD groups not filtered by the reject() method to the application. Any user objects in a mapped role are synced to a destination group in the application that matches the object s AD group (the Destination Group setting in Role Mappings is ignored). For more information about SCIM provisioning For more information about SCIM, see For more information about other types of tokens that can be used (other than Bearer or Basic), see US/docs/Web/HTTP/Headers/Authorization Applications User Guide 99

100 How to configure inbound provisioning You can provision user data from specified systems to Active Directory using inbound provisioning. Currently, Centrify only supports inbound provisioning from Workday. After you configure inbound provisioning, you can define synchronization schedules to synchronize user data from Workday to Active Directory. It's also possible to edit certain user attributes in AD and write those values back to Workday. If you have existing Workday users in Active Directory, we perform a lookup at sync time using the Workday ID and Active Directory SamAccountName. Users with these matching data are considered the same user and paired up accordingly. Prerequisites Before you start configuring inbound provisioning on Admin Portal, confirm that you have done the following Configured Workday for inbound provisioning. See How to configure inbound provisioning. Store domain administrator account to Centrify Identity Services. This step is only required if the Centrify Connector is not run by a domain administrator. See How to store domain administrative accounts. Populated the relevant user data in Workday. Installed the Centrify Connector. See How to install a Centrify Connector. Configuring Workday You must configure Workday for inbound provisioning before you start configuring Admin Portal. You must be a systems administrator in Workday to perform these tasks. Introduction to application management 100

101 Creating an integration system user The integration system user you create here must have staffing and human resources web services privilege. This privilege is necessary for Centrify Identity Services to call the Workday API to pull the user data. You will need the integration system user name and password when adding the Workday source in Admin Portal. To create an integration system user 1. In the Workday Workbench, enter create user in the search box, and then click the Create Integration System User link. 2. Provide a user name and password for a new Integration System User. Make note of the user name and password because you will need this information to configure the source in Admin Portal. 3. Leave the Require New Password at Next Sign In option unchecked, because this user will be logging on programmatically. 4. Leave the Session Timeout Minutes with its default value of 0, which will prevent the user s sessions from timing out prematurely. 5. Click OK. Applications User Guide 101

102 Creating a security group This procedure helps you to create an unconstrained integration system security group. To create a security group 1. Enter create security group in the search box, and then click the Create Security Group link. 2. Select Integration System Security Group Unconstrained from the Type of Tenanted Security Group drop-down list, to create a security group to which members will be explicitly added. 3. Click OK. Assigning the integration system user to the security group You are now ready to assign the integration system user to the security group. To assign the integration system user to the security group 1. Enter edit security group in the search box, and then click the Edit Security Group link. 2. Search for the security group using the Security Group search box and select it. 3. Click OK to add it. Introduction to application management 102

103 Configuring security group options This procedure allows the systems administrator to grant the new security group permissions for Get operations on the objects secured by the following domain security policies Manage: Organization Integration External Account Provisioning Worker Data: Public Worker Reports Worker Data: All Positions Worker Data: Current Staffing Information Worker Data: Business Title on Worker Profile Worker Data: Organization Information To configure security group options 1. Enter domain security policies in the search box, then click the Domain Security Policies for Functional Area link. 2. To configure Manage: Organization Integration: a. Enter Organization and Roles in the Function Area text box and select Organization and Roles. Applications User Guide 103

104 b. Click OK. c. Click Manage: Organization Integration. d. Click Edit Permissions and grant Get permissions. Introduction to application management 104

105 e. Click OK > Done. 3. To configure External Account Provisioning: a. Navigate back to the Domain Security Policies for Functional Area page (typically by placing the cursor in the domain security policies search box and hitting Enter. b. Enter system in the Function Area text box and select System. c. Click OK. Applications User Guide 105

106 d. Expand Security Administration in the list of security policies for the System functional area and select the External Account Provisioning domain security policy. e. Click the Edit Permissions button. The Edit Permissions screen opens. f. Add the new security group to the list of security groups with Get integration permissions. Click the + icon in the Security Groups areas. Enter the name of your group. Enable the associated Get permission. Introduction to application management 106

107 g. Click OK > Done. 4. To configure External Account Provisioning: a. Navigate back to the Domain Security Policies for Functional Area page (typically by placing the cursor in the domain security policies search box and hitting Enter. b. Enter staffing in the Function Area text box and select Staffing. c. Click OK. d. Expand Worker Data: Staffing in the list of security policies for the Staffing functional area and assign Get permissions for each of these remaining security policies Worker Data: Public Worker Reports Worker Data: All Positions Worker Data: Current Staffing Information Worker Data: Business Title on Worker Profile Applications User Guide 107

108 Worker Data: Organization Information Activating security policy changes To activate the security policy changes 1. Enter activate in the search box and click the Activate Pending Security Policy Changes link. Introduction to application management 108

109 2. Enter a comment for auditing purposes. 3. Click OK. 4. Enable the Confirm check box. 5. Click OK. Adding source You must identify the source (system) from which you are provisioning user data. Currently we only support provisioning from Workday. Important: You must meet all prerequisites before you start adding and configuring a provisioning source. See Prerequisites. To add and configure a source 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Click Add Source (on the Sources tab) to start defining the Workday service information. The Provisioning Source window opens. Applications User Guide 109

110 a. Select the source environment type for which you are configuring. Workday (Integration): Select if you are configuring the synchronization or a test environment. Workday (Production): Select if you are configuring the synchronization for a production environment. b. Select the Enable check box to enable the feature. Note You can configure the feature first, then enable it when you are ready. c. (Optional) Select the Enable write-back check box to enable the writeback feature. The write-back feature allows you to make changes to certain attributes of the user object in AD, then sync those changes back to Workday. You specify the attributes that you want to sync back to Workday in Defining provisioning rules. d. Enter a Name for this source. Introduction to application management 110

111 e. Enter the Workday server URL in the specified format ( cloud_host_name>/ccx/service/<tenant>) into the URL field. Sample production URL: If you are setting up a test environment, in other words you have selected Workday (Integration) in step 3a, then you must append _pt1 to the URL. Sample integration URL: For help getting the Workday cloud hostname, see Getting the Workday cloud hostname. f. Enter the Integration User Name appended and your tenant ID. For example if the integration user name in Workday is johnintegrationuser and your tenant ID is foocompany, then you must enter johnintegrationuser@foocompany here. This integration system user must have staffing and human resources web services privilege. This privilege is necessary for Centrify Identity Services to call the Workday API to pull the user data. See Creating an integration system user for instructions on generating the user name. g. Enter the Integration Password. h. Click Verify to verify the integration user name and password combination. 4. (Optional) Click the Reports Integration option to configure Centrify Identity Services for custom attributes. Before you can configure Centrify Identity Services to use custom attributes, you must first create the custom attributes in Workday. See Generating and using custom attributes. 5. (Optional) Click Sync Settings to configure new hire pre-provisioning and time offsets. a. Specify the Enable New Hire Pre-Provisioning options to tell Centrify Identity Services to provision a user prior to the user employment start date. For example, if you have users starting 2 days after your synchronization action, you can tell Centrify Identity Services to synchronize those user data to Active Directory by setting the Interval field to 48 hours. If you do not configure this option, those users will not be provisioned until the start date or later (based on your synchronization schedule). b. Enable Run incremental sync automatically and specify the sync frequency in minutes. See How to configure inbound provisioning for more sync options. c. Specify the time offset between your Workday tenant and UTC using the Workday Tenant UTC Offset (minutes) option to prevent delayed or Applications User Guide 111

112 premature user data synchronization. Synchronizations are performed based on UTC time. If you need to compensate for time zone differences between your Workday tenant and UTC, specify that offset here. d. Enable Do not create new users (update existing user only) if you want the sync job to ONLY update existing user data and NOT create any new users in Active Directory. e. Enable Ignore sync cache if you want to sync with Workday regardless of existing user data in Active Directory. Centrify Identity Services keeps a cache of Workday user data. If systems administrators update user data in Active Directory, then that data is out of sync from Workday. This option allows Centrify Identity Services to ignore existing data in Active Directory and sync with Workday. Enabling this option makes available the Discard directory identifiers for cached entries. Enable this option if you want Centrify Identity Services to discard existing user IDs stored in Active Directory and rediscovers users from UPN or samaaccount name. 6. Click Save. Your configured source is listed in the Sources table. Getting the Workday cloud hostname You need the Workday cloud hostname to generate the Workday server URL that is required for adding the data source. The following are standard procedures, but your steps may differ slightly depending on your Workday customizations. To get the Workday cloud hostname 1. Log in to Workday as an administrator. 2. Enter Public Web Services into the search box. 3. Select Public Web Services. 4. Click Actions > Web Service > View URLs. 5. Click Workday XML. A new tab opens with a URL similar to pt1/public_web_services. 6. Copy/paste the hostname. Introduction to application management 112

113 Defining provisioning rules You define provisioning rules to identify users, map user attributes, and other important provisioning configuration. You can define more than one rule for each source. You must first add and configure a source before you can define the rules. To define a provisioning rule 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Click the + icon associated with the source you have previous configured. 4. Enter a Name for this rule. 5. Select a Provisioning Rule Mode Active -- Makes a rule active. Not recommended until you have finished all configurations. You must activate a rule before synchronizing. Preview -- Sets the rule in preview mode. Select this option for a production environment to verify the user mapping between Workday and Active Directory before you make the rule Active. Inactive -- Sets the rule as inactive. Recommended until you have finished all configuration steps. You can come back to this option and activate the rule when you are ready. 6. Select the Source Selection Rule to define the users to which these rules apply. If you are provisioning all your Workday users (by selecting All Users from the drop-down list) to one Organizational Unit (OU), then you do not need to perform the following sub-steps. If you are provisioning specific groups of users to specific OUs, then do the following Applications User Guide 113

114 a. Click Add to select the specific group. b. Select the Workday group from the drop-down list and click the associated Add button. c. Repeat these sub-steps until you have added all relevant Workday groups. 7. Click Next. 8. Define the target directory and the specific OU to which you want users in the Workday groups provisioned. a. Select the relevant forest from the Target drop-down list. When you select the forest, Centrify Identity Services looks for the stored domain administrator account and shows a warning message if one is not available (unless the Centrify Connector is run by a domain administrator). See How to store domain administrative accounts. b. Select the relevant Domain. c. Select the relevant Domain Controller. d. Select the relevant OU or expand an OU and select the relevant groups Introduction to application management 114

115 in the Target OU area to which you want user accounts provisioned. 9. Click Next. 10. Map the attributes. a. Review the required and automatically mapped attributes. You can delete optional attributes. You also have the option to map additional attributes. b. (Optional) Click Add and select the Target Attribute (attribute name in Active Directory) to add more attributes. If there is only one match in Workday, then no corresponding Workday attributes are displayed; click Add again to add the attribute and view the mapping in the table. If more than one Workday attribute can be mapped to the selected Active Directory attribute, then select a corresponding Source Attribute (attribute name in Workday) from the drop-down list; click Add again to add the attribute and view the mapping in the table. See Attribute Mapping for information on the more obscure attributes. Continue mapping attributes until all necessary attributes are mapped. c. Click Next to configure additional provisioning rule options. 11. (Optional) Select the sync direction for each attribute. Applications User Guide 115

116 This column is only available if you enabled the write-back feature for the source. In addition, you can only change the sync direction for supported attributes. Note the following points about write-back sync behavior: You can only change the sync direction for supported attributes. There must be a 1:1 mapping of source and target attributes. The target attributes C, Co, CountryCode, L, PostalCode, St, StreetAddress must have the same sync direction. If one is set to Target to Source, all of them need to be set to Target to Source. Syncing the St (State) AD attribute to Workday is only supported when it is mapped to WorkdayUser.WorkRegionCode, not WorkdayUser.WorkRegion. The origin attribute has priority in the event of a conflict. For example, if the direction for an attribute mapping is set to Target to Source, the attribute value in the Target has priority. Deleting an attribute value in AD does not delete the value in Workday, even if the sync direction is Target to Source. Adding or deleting user objects in AD does not add or delete user records in Workday. Deleted objects in AD with matching Workday records will be recreated at the next sync from Workday. Objects added to AD will not be deleted at the next sync. 12. (Optional) Configure the following attribute related options. Set user s manager attribute -- If enabled, users manager attributes in Workday are synchronized to Active Directory. Introduction to application management 116

117 Disable user in AD if worker employment status is terminated -- If enabled, users with the terminated employment status in Workday are automatically disabled in Active Directory. 13. Specify the Password Type for new Active Directory user accounts. If you select Static Password from the drop-down list, then the system uses the same password for all new users. Provide the following information a. Password -- Specify the password to be used for all users. b. Require password change at next login -- If enabled, new users will be required to change their passwords after the initial log in. Disabled by default. If you select Generated Password from the drop-down list, then the system randomly generates different passwords for each new user. Provide the following information a. Require password change at next login -- If enabled, new users will be required to change their passwords after the initial log in. Disabled by default. b. Delivery options -- Select the address to which you want the autogenerated password sent. This is to help in your new employee onboarding process. When new users are created in Active Directory, an will be sent to the specified address with the credentials for those users. Send password to address: Enter the address to which you want the password sent. Send password to user s manager: Sends the password to the manager s address. Ensure that you have the address specified in Workday. Send password to user s personal Sends the password to the user s personal address. Ensure that you have the address specified in Workday. If you have more than one option selected, the password is sent to all the selected addresses. 14. (Optional) Specify the Active Directory group to which you want users added. This option assigns the users to the selected Active Directory group. a. Enable the Add users to groups check box. b. Select the Add button within the Active Directory Group Options area. The Add Active Directory Group window opens. c. Confirm that the appropriate source is selected. Applications User Guide 117

118 d. Start entering the group name into the Search box to find the group. e. Select the group and click Add. 15. (Optional) Select Map Workday Provisioning Groups to Active Directory Groups if you want to map specific Workday provisioning groups to Active Directory groups. a. Enable the Map Workday Provisioning Groups to Active Directory Groups check box. b. Select the associated Add button. c. Select the Provisioning Group Name from the drop-down list. d. Confirm that the appropriate source is selected. e. Start entering the group name into the Search box to find the group. f. Select the group and click Add. 16. (Optional) Select Assign user to an OU upon termination if you want to specify the organizational unit (OU) in which terminated users will be placed. If you do not enable this check box, then terminated user will remain in the current OU. 17. Click Save to save the rule configuration. The provisioning rule has been configured and the rule is listed in the Sources table. 18. Click the rule to change its status if you did not set the rule to Active in step Click Save. Define additional provisioning rules as needed. You can define more than one rule for each source. Synchronizing Data After you have configured the source and provisioning rule, you are ready to synchronize user data from Workday to Active Directory. You have the option to Introduction to application management 118

119 manually trigger a full or incremental sync or schedule incremental syncs. Full syncs are time and resource intensive so it must be triggered manually and we recommend doing it only when necessary. For the initial sync, you must perform a full one. You can only schedule automatic incremental syncs. Configuring manual syncs You can initiate a full or incremental manual sync. To trigger a manual sync 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Confirm that you have the source and provisioning rule configured and click the Sync Options tab next to Sources. 4. Select either Incremental or Full in the Manual Sync Options area. For the initial sync, you must perform a full one. 5. Select the source (a specific source or all configured sources) that you want to synchronize. 6. Click Run Sync. Applications User Guide 119

120 Scheduling incremental syncs Scheduled automatic syncs are limited to incremental syncs because full syncs are time and resource intensive. If you need to perform a full sync, you must trigger it manually. See Configuring manual syncs. To schedule incremental syncs 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Confirm that you have the source and provisioning rule configured and click the + icon associated with the source you have previous configured. 4. Click Sync Settings. 5. Enable the Run incremental sync automatically check box. 6. Specify how frequently you want to run the sync in the Frequency text box. 7. Click Save. Configuring sync reports You can configure Centrify Identity Services to send reports via after each sync completion. Sample report below. Introduction to application management 120

121 To view the detailed job report using the link provided, you must log in with full administrator privileges or read only administrator privilege. To configure sending of sync reports 1. Enable the Send report on sync completion check box if you want to receive a sync report. 2. Specify the type of syncs in which the report includes All Syncs Incremental Syncs Full Syncs 3. Specify an address to which reports are sent. a. Click Add. The default address is that of the logged in system administrator. You can enter a new address by editing the default address. Applications User Guide 121

122 b. Click the associated Add button. The address is added to the table. c. Repeat these sub-steps to add more addresses. 4. Click Save. Generating and using custom attributes In most cases, Workday automatically creates the necessary attributes for your use. However, sometimes you may need to create custom ones. In those instances, you can use Workday to generate custom attributes and use Admin Portal to map them to Active Directory. For example, the default attribute to create a Common Name in AD is the Workday User. However, Workday does not generate an alphabetic Workday User attribute for contingent workers (contract or part-time employees). Contingent workers are only issued a numerical ID. To remedy this, you may want to create a custom attribute so that all workers are given human-friendly names. You can do this by creating a custom report in Workday with custom attributes and writing a script to map those attributes to the proper Active Directory attributes. The high-level procedure for creating and using custom attributes are Use Workday to create custom attributes by creating an advanced custom report. See Generating custom attributes. Introduction to application management 122

123 Use Admin Portal to connect Centrify Identity Services to the Workday report. See Adding Workday URLs to provisioning source. Use Admin Portal to run a script mapping each column in the report to relevant Active Directory attributes. See Mapping custom attributes. Generating custom attributes You create custom attributes by creating an advanced custom report. After you create it, the report is automatically run with each data synchronization between Workday and Active Directory. To create an advanced custom report 1. Log in to Workday. 2. Click Reporting & Analytics > Create Custom Report. 3. Provide the necessary information. Report Type - Select Advanced to get access from the web services. Data Source - Select All > All Active and Terminated Workers. Enable As Web Service - enable the check box. 4. Click OK. The Edit Custom Report page opens. 5. In the Field text box, type workday_id and hit the Enter key. Applications User Guide 123

124 You must enter workday_id for the mapping and scripting to work. The text resolves to Workday ID. 6. (Optional) Click the + icon to enter additional custom fields. 7. Click OK > Done. 8. Share the report with relevant integration groups or users. You have likely created these integration users or groups when you configured Workday for inbound provisioning. See Creating an integration system user or Creating a security group. Until you share the report this, only you have access to the report. To share the report with relevant integration groups or users a. Click Edit Custom Report. b. Click in the Report Name drop-down box, select My Reports, and select the newly created report. c. Click OK. Introduction to application management 124

125 d. Click the Share tab and select the Share with specific authorized groups and users radio button. e. Enter the integration group (in which the user is a member) or the individual user that was specified in the Admin Portal source configuration into the Authorized Groups text box. Type the first few letters of the group or user name, click enter, and the matching group or user names display. f. Click OK. 9. Copy the XSD and JSON URLs for use in Admin Portal. Adding these URLs into Admin Portal connect Centrify Identity Services to the custom reports. To copy the URLs a. Hover over the report name associated with the Report Definition field and select the dotted icon next to the name. The Actions page slides open. Applications User Guide 125

126 b. Select Web Service > View URLs. c. Copy the XSD (within the Workday XML area) and JSON URLs by right clicking each and selecting Copy URL. Introduction to application management 126

127 You must add these URLs to the provisioning source in Admin Portal. See Adding Workday URLs to provisioning source. Adding Workday URLs to provisioning source Centrify Identity Services needs to communicate with the custom report to get the attribute values. You enable this communication by adding the report XSD and JSON URLs to the Admin Portal provision source. To add the XSD and JSON URLs to the provisioning source Applications User Guide 127

128 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Click the edit icon associated with the relevant source. 4. Click Report Integration on the Provisioning Source page. 5. Select the Enable Report Integration checkbox. The Base Report URL is automatically prefilled. 6. Paste the XSD URL (starting from ccx/service ) into the Relative Schema (XSD) URL field. 7. Paste the JSON URL (starting from ccx/service ) into the Relative JSON Data URL field. These custom URLs allow Centrify Identity Services to get the attribute values from the report. 8. Enter workday_id into the Worker Unique ID Field Name. This field name mirrors the one entered in Workday (step 5) when you created the advanced custom report. 9. Enter the number of minutes Centrify Identity Services should wait for Workday to respond with the custom attributes information. 10. Click Save. Mapping custom attributes You can use the Admin Portal to run a script mapping each column in the Workday report to relevant Active Directory attributes. Below is a sample script that maps the workday_id custom attribute to Work attribute in Active Directory. if(synccontext){ trace("starting script"); var sc = SyncContext; //trace(sc.sourceuserrecord.reportrow.dump()); sc.targetuserrecord.samaccountname = sc.sourceuserrecord.reportrow.get("workday_id"); sc.targetuserrecord.userprincipalname = Introduction to application management 128

129 sc.sourceuserrecord.reportrow.get("workday_id") + "@" + sc.sourceuserrecord.work .split("@")[1]; if(sc.sourceuserrecord.work ){ var x = sc.sourceuserrecord.work .indexof("@"); trace("work at " + x.tostring()); trace("work in lower case is " + sc.sourceuserrecord.work .touppercase()); } if(sc.sourceuserrecord.provisioninggroups) { var count = sc.sourceuserrecord.provisioninggroups.count; trace("prov group count: " + count); for(var idx = 0; idx < count; ++idx) { trace("name: " + sc.sourceuserrecord.provisioninggroups[idx].name + ", Status: " + sc.sourceuserrecord.provisioninggroups [idx].status); } } else { trace('provisioning groups not defined'); } sc.targetuserrecord.cn = sc.sourceuserrecord.firstname + "." + sc.sourceuserrecord.lastname; sc.targetuserrecord.employeeid = sc.sourceuserrecord.employeeid; sc.targetuserrecord.displayname = sc.sourceuserrecord.formattedname; sc.targetuserrecord.name = sc.sourceuserrecord.reportingname; sc.targetuserrecord.mail = sc.sourceuserrecord.work ; sc.targetuserrecord.title = sc.sourceuserrecord.businesstitle; sc.targetuserrecord.employeetype = sc.sourceuserrecord.positiontype; sc.targetuserrecord.givenname = sc.sourceuserrecord.firstname; sc.targetuserrecord.sn = sc.sourceuserrecord.lastname; sc.targetuserrecord.middlename = sc.sourceuserrecord.middlename; sc.targetuserrecord.department = "My Department"; sc.targetuserrecord.c = sc.sourceuserrecord.alpha2workcountry; sc.targetuserrecord.countrycode = sc.sourceuserrecord.alpha3workcountry; sc.targetuserrecord.co = Applications User Guide 129

130 sc.sourceuserrecord.numeric3workcountry; sc.targetuserrecord.st = sc.sourceuserrecord.workregion; sc.targetuserrecord.postalcode = sc.sourceuserrecord.workpostalcode; sc.targetuserrecord.l = sc.sourceuserrecord.workmunicipality; sc.targetuserrecord.streetaddress = sc.sourceuserrecord.workaddressline1 + "," + sc.sourceuserrecord.workaddressline2; sc.targetuserrecord.physicaldeliveryofficename = "1234 C"; sc.targetuserrecord.telephonenumber = sc.sourceuserrecord.workmobile; sc.targetuserrecord.mobile = sc.sourceuserrecord.workmobile; sc.targetuserrecord.company = "Bunnies of doom"; sc.targetuserrecord.disabled = true; if(sc.targetuserrecord.memberobjectguids){ var newgrouplist = []; for(var idx = 0; idx < sc.targetuserrecord.memberobjectguids.length; ++idx){ trace("group guid is " + sc.targetuserrecord.memberobjectguids[idx]); newgrouplist.push (sc.targetuserrecord.memberobjectguids[idx]); } // newgrouplist.push ("f1a7e28aa5bb4f59a3e6566fc69545e8"); // sc.targetuserrecord.memberobjectguids = newgrouplist; } else { trace("memberobjectguids is empty or not defined."); } trace("term date is " + sc.sourceuserrecord.terminationdate); trace("exiting script"); } To add a script for a provisioning rule 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Select the provisioning rule for which you want to add the script. Introduction to application management 130

131 4. Click the Attributes tab. 5. Confirm that the Use Attribute Mapping Script checkbox is enabled. 6. Click Load Sample to load the sample script. 7. (Optional) Click Test to verify that the script meets your purpose. a. Enter a Worker ID for an employee with relevant attributes. b. Select the Worker ID Type from the drop-down list that corresponds to worker ID you entered. For example, if you entered an ID for a contingent worker, then select Contingent Worker here. c. Click Next. Attribute values associated with the worker ID is displayed. Applications User Guide 131

132 8. Update the script as necessary for your purpose. 9. Click Save. When a synchronization between Workday and Active Directory is triggered, the script runs automatically. Attribute Mapping Most attributes map logically. However, a few attributes may require additional guidance. This table documents those attributes. Active Directory Attributes Possible Workday Attributes C, Co Alpha2WorkCountry or Alpha3WorkCountry Notes Options for mapping country code. Alpha2 maps to a 2 character country code (for example, US). Alpha3 maps to a 3 character country code (for example, USA). Introduction to application management 132

133 Active Directory Attributes Possible Workday Attributes Notes CountryCode Numeric3WorkCountry Use if the country code is numeric. L WorkMunicipality Maps to the user s city Mail Work Maps to the user s address Sn LastName Maps to the user s last name St WorkRegion Maps to the street name Editing a provisioning source To edit a provisioning source after one has been created, do the following 1. Log in to Admin Portal. 2. Click Settings > Users > Inbound Provisioning. 3. Click the pencil icon associated with the source. The Provisioning Source window opens for edits. Applications User Guide 133

134 How to store domain administrative accounts You can store Centrify Infrastructure Services or Active Directory domain administrative accounts in Centrify Identity Services for future use. For example, you can store a domain administrative account so that an administrator can log in to Admin Portal and synchronize user data from a specific system (i.e. Workday) to Active Directory. The stored accounts can be any user or service account that has domain or enterprise administrator permissions. Prerequisites You must meet the following requirements before you can store domain administrative accounts on Centrify Identity Services: Your tenant must have a Centrify connector configured. See How to install a Centrify Connector. You must know the password of the account you are storing. Storing domain administrative accounts You store domain administrative accounts on Centrify Identity Services so that these accounts can be used to perform high privilege operations on the platform. To store domain administrative accounts: 1. Log in to Admin Portal. 2. Click Settings > Users > Administrative Accounts. The Administrative Accounts page shows the Active Directory domains. 3. Select the domain that contains the account you want stored. Introduction to application management 134

135 Only domains associated with an active Centrify Connector are displayed. The Actions drop-down list becomes available after you select a domain. 4. Select Set Administrative Account from the Actions drop-down list. 5. Select the source of the account (Privilege Service or Active Directory). 6. Click the Select button next to the Account text box to select the relevant account. 7. Start typing the account name into the search box. Matching accounts are displayed. 8. Select the account you want to store. 9. Click Add. The relevant account is displayed in the Administrative Account column. Possible next steps You might be interested in the following scenario: How to configure inbound provisioning Applications User Guide 135

136 Configuring App Gateway You can configure on-premise applications so that your users can securely access them outside of your corporate network. Currently, you can require a VPN connection for application access by applying an access policy to the application. VPN connections are relatively straightforward to set up for your entire network, but configuring them to allow or not allow specific applications can be a lot of work. With App Gateway, you can now configure applications for off-site access without requiring a VPN connection. When users launch an application through a VPN connection, the connection travels an additional pathway. With most VPN connections, the user can access most applications and servers on the corporate network, even if they don t need to do so. If your users need to visit other corporate networks, such as when your sales or other teams visit your customers, your users may not be able to easily launch a VPN connection. And, using VPN connections to access applications off-site can increase the traffic through your VPN tunnel. For your users, the experience is simple they enter the application URL and can directly launch the application. In most cases, you ll want to configure the application so that your users can use the same URL to access the application whether they re on the internal network or outside the corporate network. Introduction to application management 136

137 For applications that use the App Gateway, the connection from the user travels the same network pathways that you already have: the Centrify Identity Platform connects to the Centrify Connector through the firewall, the Centrify Connector connects to your on-premise directory service, and your on-premise application uses your directory service for authentication and authorization. Applications User Guide 137

138 App Gateway configuration workflow Here s an overview of what you need to configure for App Gateway connections: Introduction to application management 138

139 When you configure an application to use the App Gateway, you don t have to change any configurations in the application directly. In Admin Portal, you enable the application for App Gateway access and you enter the existing URL that users enter to open the application. At that point, you have a choice: you can use an external URL that the Centrify Identity Platform automatically generates for you to use, or you can continue using your existing, internal URL. In most cases, it works better for your users to use the Applications User Guide 139

140 auto-generated URL for testing purposes only and then switch over to use the existing URL for external App Gateway access for applications in production mode. If you use the same DNS name both internally and externally, you must be able to create internal and external DNS entries that point to different things. For example: Internal zone: Host (A) record pointing to IP address External zone: CNAME record pointing to <guid>-gw.gateway.centrify.com Which URL you use involves different advantages and disadvantages. Use the App Gateway, and use the auto-generated, external URL for App Gateway connections Use your existing, internal URL for App Gateway connections Advantages Easy to configure and test Excellent for test environments Existing links and bookmarks work regardless of user login location. Seamless user experience. Recommended for production environments Disadvantages Existing links and bookmarks won t work outside of the corporate network. Users have to use different URLs depending on whether they re accessing the application internally or externally. You do more configuration: you need to upload the URL certificate and private key, and edit your DNS settings. Introduction to application management 140

141 Configuring an application to use the App Gateway On the App Gateway page, you can configure the application so that your users can access it whether they are logging in from an internal or external location. For applications configured for the App Gateway, users do not have to use a VPN connection to access the application remotely. Note The App Gateway feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. Please contact your Centrify representative to have the feature enabled for your account. Note Some applications can be used with App Gateway; not all applications are set up to use this feature. At this time, Web applications may use HTTPS or HTTP, and either the standard port of 443 or a non-standard port. IP addresses are only supported for on-premise apps and are not supported for external-facing apps. To configure an application for external App Gateway connections 1Make sure that your on-premise web application is accessible. Note You can specify a URL that uses either HTTP or HTTPS. To specify the port, add the port at the end of the URL, such as Login URLs with IP addresses are not supported. 2Install Centrify Connectors in your network. If you have already installed them, just make sure that they re the current release version (prior versions don t support App Gateway connections). If you re using a cloud-based directory service, you won t need to install the Active Directory service components with the Centrify Connector. 3Add, configure, and deploy the application. You can enable App gateway access for any of the custom applications, such as bookmark, user-password, SAML, WS-Fed, and NTLM applications, and also a few other applications in the application catalog. Applications User Guide 141

142 4(Optional) In application settings, select Make this application available via the Internet. The Centrify Identity Platform verifies the application settings and displays the URL that you provided in application settings as the internal URL for the application. 5Specify the external URL that users open to access the application from external locations. You can use an existing URL or use one that the Centrify automatically generates for you. If you use an existing external URL, any links to the application URL do not need to change and will continue to work as is. However, you do need to upload an SSL certificate and modify your DNS settings. To use your existing external URL, select Use this external URL for application access on or off the corporate network and do the following: aenter the existing URL. You can enter an internal or external URL here. Login URLs with IP addresses are not supported. bclick Upload to browse to and upload your SSL certificate with the private key for the URL that you entered. The certificate file has either a.pfx or.p12 filename extension. To use the auto-generated URL, select Use this Centrify generated external URL for application access on or off the corporate network. Later, you ll need to notify users to use the auto-generated URL or access the application from the user portal. Introduction to application management 142

143 If you use the auto-generated URL, the option Rewrite generated external URL to internal URL in requests and responses found in Gateway Options is selected by default to improve compatibility with applications that utilize html redirects in the payload. 6In Gateway Options, select Lock session to source IP address to require reauthentication if a user s source IP address changes during the app gateway session. This option is not recommended for OWA, as it might cause authentication failures. 7In Gateway Options, select Lock session to expiration of user to require reauthentication if a user s identity cookie expires during the app gateway session. This option is not recommended for OWA, as it might cause authentication failures. 8In Gateway Options, select Pass the requested URL to the application without decoding. This option passes the raw URL to the application, which is sometimes necessary for compatibility. 9In Gateway Options, select Enable standard web proxy headers to set X- Forwarded-For (RFC-7239), and REMOTE_USER. This option allows you to use the App Gateway with network monitoring devices or additional reverse proxies. In addition, you can select either Client IP Address or Username as values for the X-Forward-For header, depending on whether you want to monitor the header for specific IP ranges or users. 10Select a connector to use with the application at the Centrify Connectors to use with this service section. Choose one of the following: Any available Choose Select this option to allow the Centrify Identity Services to randomly select one of the available connectors for your App Gateway configuration. Click Test Connection to make sure the connection between the connector and the application is successful. Select this option to specify one or more Centrify Connectors to use for your App Gateway configuration. If you select more than one connector, the Centrify Identity Services randomly chooses one of the selected connectors to use for the application. Once the configuration is saved, each future App Gateway request uses a random connector from those selected, as long as the connector is online. Applications User Guide 143

144 Once you select the connectors you want to use, click Test Connection to make sure the connection between the selected connectors and the application is successful. At least one connector must succeed in order to save the configuration. Note If any of the Centrify Connectors are offline, they are not displayed in the list of available Centrify Connectors. 11Click Save to save the App Gateway changes. Note If you configured the application to use an external URL you need to edit your DNS settings to accommodate the App Gateway connection for this application. For more details, see Adding the CNAME record in your public DNS server. Adding the CNAME record in your public DNS server When you choose to use your existing external application URL, the Centrify Identity Platform displays the CNAME record that you need to enter in your public DNS server. This record creates an alias so that when users enter your existing URL (host name), they re redirected automatically to the internal application (by way of the canonical name). After you upload the certificate, Admin Portal displays the CNAME record entry that you need to enter in your DNS settings. ain your domain s DNS settings, you ll enter a CNAME record to map this URL to the application s gateway connection URL. Introduction to application management 144

145 bafterwards in the App Gateway settings, you click Validate to ensure that the DNS settings are correct. Applications User Guide 145

146 App Gateway Troubleshooting Make sure that you have the latest version of Centrify Connector. See Updating the Centrify Connector to the latest version for more information. Using App Gateway Diagnostics App Gateway Diagnostics generates reports that help troubleshoot problems externally accessing applications through App Gateway. App Gateway Diagnostics records web traffic metadata for the application using App Gateway for 24 hours or until you stop the diagnostics session, whichever comes first. Diagnostic reports are generated when you stop the session. To start a Admin Portal App Gateway Diagnostics session: 1Configure the application for external App Gateway connections. For more details, see Configuring an application to use the App Gateway. 2On the App Gateway page for the application, click Start Diagnostics. A diagnostic sessions starts, indicated by the text Diagnostic session running.... 3Access the application through the App Gateway as you normally would. The diagnostic session records web traffic metadata for the application for 24 hours or until you stop the diagnostics session, whichever comes first. 4On the App Gateway page, click Stop Diagnostics to stop the diagnostic session. Links to session reports for the most recent diagnostic session appear. 5Click the links to view the selected report on the Reports page. The following reports are available. Pageloads_<appname><date time> Introduction to application management 146

147 The PageLoads report shows page load performance for any page in the application that a user tried to access through App Gateway during the diagnostic session. Urls_<appname><date time> The Urls report shows absolute links to application content where the hostname differs from the application s tunneled hostname. Any content appearing in this report indicates the application is not compatible with App Gateway. Include this report in any correspondence with Technical Support regarding application compatibility with App Gateway. When viewing the report, use the options available in the Actions menu to distribute the reports for use in any correspondence with Technical Support regarding App Gateway connection issues. See Working with reports for more information about the Actions menu. Note All reports generated by App Gateway Diagnostics are available on the Core Services > Reports page in the Shared Reports > AppGateway folder. See Managing reports for more information about managing reports. Applications User Guide 147

148 Managing application access requests In most cases, you give users access to applications by assigning them to one or more specific roles. You can also selectively define a request and approval work flow that gives specific users or members of specific roles the ability to approve or reject access requests for specific applications. You can configure the request and approval work flow for any of the individual web applications for which you want to manage access requests. By defining a work flow, users can request access to an application and, if their request is approved, be added to a role with access privileges and see their new application available when they log on to the User Portal. A designated approver might be a specific user or any member of a specific role. If you configure a role as an approver, the first member to respond to the request is given the authority to approve or reject the request. Configuring a request and approval work flow As a member of the sysadmin role or a role with the Role Management administrative right, you can configure roles for all other users. Initially, only the members of the sysadmin role have the ability to enable a request and approval work flow and can configure the work flow for selected applications, specify the users or roles with authority to approve access requests, and identify the role or roles to which users will be assigned if their request is approved. At a high level, the steps involved in configuring a work flow are these: Create one or more roles that can enable a request and approval work flow. Create one or more roles that can approve access requests for the applications that have a request and approval work flow. Select an application and click User Access to select the role into which requesters who are approved will be placed. Click Workflow for the selected application to enable the work flow option. Select the user or role with authority to approve requests. Introduction to application management 148

149 If the Requestor s Manager is the only approver in the approver list and the user has no manager, the request will be approved. If this is not desirable, verify that your users have a manager (refer to Adding Centrify Directory users for more information) or add other users or roles to the approver list. Creating roles for work flow administration The first few steps in configuring the request and approval work flow are optional and involve creating one or more roles for users who are allowed to define a request and approval work flow for applications and the roles that can approve access requests. These steps are optional because you can choose to only allow members of the sysadmin role to be the users permitted to configure a work flow and members of the sysadmin role can assign approval authority to individual users without creating any approval roles. In most cases, however, creating roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval. If you don t create any intermediary roles with the appropriate administrative rights to enable a work flow, only members of the sysadmin role will be able to configure any request and approval work flow you might want to implement. In most cases, if you are configuring a request and approval work flow for applications, you should create at least one role for users who are allowed to add, modify, or remove applications and who have permission to change which roles are assigned to a specific applications. If you don t create a role with the Application Management and Role Management rights, only members of the sysadmin role can configure the request and approval work flow for applications. To configure roles that can enable a work flow 1. Log in to Admin Portal. 2. Click Core Services > Roles. 3. Click Add Role or select an existing role to display the role details. If you are creating a new role, you must provide at least a unique name for the role. 4. Click Members, then click Add. 5. Type a search string to search for and select users and groups for this role. 6. Click Administrative Rights, then click Add. 7. Select the appropriate rights, then click Add. Applications User Guide 149

150 For example, if you are creating a role with permission to enable a work flow for access to applications, select Application Management and Role Management. You can select any additional rights you want included in this role, but you must select at least one of the required administrative rights. 8. Click Save to save the role. Creating roles for approvers You can assign approval authority to individual users. However, in most cases, creating approver roles for different sets of users provides greater flexibility and helps to reduce the number of requests left pending an approval. If you don t create any intermediary roles with the appropriate administrative rights to approve access requests, only members of the sysadmin role will be able to approve access requests. You can follow the same steps described in Creating roles for work flow administration to create roles for approvers. Keep in mind that if you are creating a role with permission to approve access requests for applications, you should include the Application Management and Role Management rights. You can select any additional rights you want included in this role. Requesting access to an application Any user who has an account in the Centrify Identity Services can request access to applications that the administrator has configured with a request and approval work flow. No special privileges are required to make requests or approve requests. No special privileges are required to make requests or approve requests. To request access to an application 1. Log on to the Centrify user portal. 2. Click the Apps tab, if needed. 3. Click Add Apps. 4. Type a search string to find the application of interest in the catalog, then click Request. Only applications that have a request and approval work flow configured display a Request button. Introduction to application management 150

151 5. Type the business reason for requesting access to the application, then click Yes to continue. 6. Click Close to close the App Catalog. An notification of your request is sent directly to the designated approver and a Requests tab will be visible the next time you go to the User Portal. You can click the Requests tab to see the status of your request. You will also receive an notification when you request is approved or rejected. If your request was approved, the will include a link to open the User Portal. Viewing request status and history You will only see the Requests tab if you have made a request or approved a request. After you have made or responded to at least one request, you can click the Requests tab to view the status of requests and the history of request activity. Depending on your role, you might click the Requests tab from Admin Portal, Centrify Infrastructure Services, or the user portal to see the status of your own pending requests, the requests awaiting your approval, or the results of request activity. Regardless of the entry point for viewing the Requests tab, the list of requests includes the following information: Description provides a brief summary of the request indicating the type of access or application requested. Status displays the current status of the request as Pending, Approved, Rejected, or Failed. You can review the request details to see the reason the request failed. For example, a request might fail if the address for the approver or requester is invalid. A failed request might also indicate that the time allowed for taking the requested action has expired. For example, assume the request was for permission to use the root account to log on to a resource and the request was approved with a duration of 60 minutes. If the requester did not log on within 60 minutes of the request approval, the request status will display Failed. Posted displays the date and time of the most recent activity for each request. Approver displays the user or role designated for approving access requests if the approval is pending or the specific user who approved or rejected the request if the request has been resolved. Requester displays the user who submitted the request. Latest Log Entry displays the most recent information recorded for the request. Applications User Guide 151

152 Viewing request details You will only see the Requests tab if you have made a request or approved a request. After you have made or responded to at least one request, you can click the Requests tab to view the status of requests and the history of request activity. Depending on your role, you might click the Requests tab from Admin Portal, Centrify Infrastructure Services, or the user portal to see the status of your own pending requests, the requests awaiting your approval, or the results of request activity. You can then select any request displayed on the Request tab to see request details. If you are an approver, you can also go directly to Request Details by clicking the link in the notifying you of the request. Regardless of the entry point for viewing request details, the request information table displays details appropriate for the current state of the request. For example, you might see the following information: Posted displays the date and time of the most recent activity for each request. Description provides a brief summary of the request indicating the type of access or application requested. Requester displays the user who submitted the request. Requesters Reason displays the business reason provided by the user who submitted the request. Approver displays the user or role designated for approving access requests if the approval is pending or the specific user who approved or rejected the request if the request has been resolved. Status displays the current status of the request as Pending, Approved, Rejected, or Failed. Depending on the status of the request, you might see the reason the request was rejected or the reason why the request failed. Responding to application access requests There are no special privileges required to respond to requests. Anyone with access to the identity service can be designated as an approver. If you have been designated as an approver for application access requests, you will receive notification when others request access. You can click the View Application Request link in the to view the request details. If you are Introduction to application management 152

153 authorized to approve the request and the request is still pending a response, the Request Details displays the options to Approve or Reject the request. Click Approve to approve the request and add the requester to the role selected for user access when the request and approval work flow was configured. If you click OK to continue with the approval, the request details are updated with the date and time the request was resolved and the approved status. Click Reject to reject the request and type the reason you are rejecting the request. If you click OK to continue with the rejection, the request details are updated with the reason the request was rejected, the date and time the request was resolved, and the rejected status. After you respond to the request, the Requests tab is also updated with the latest activity and is sent to the requester as notification of your response to the request. Applications User Guide 153

154 Configuring Workflow As a member of the sysadmin role or a role with Application Management and Role Management administrative rights, you can configure a request and approval workflow for any application. For more information, see Managing application access requests. Note The Workflow feature is a premium feature and is available only in the Centrify Identity Services App+ Edition. Please contact your Centrify representative to have the feature enabled for your account. To configure workflow for applications 1In Admin Portal, click the Apps tab, then select a specific application for which you want to configure a request and approval workflow. 2Click User Access. 3Select one or more of the potential roles that a requester might be placed into to access the application you are configuring, then click Save. For example, you might have an application that only users in a Sales role or a Support role normally access. Through the request and approval workflow, you can allow users in other roles to request access to the selected application. If the request is approved, the approver decides which role should apply and the requester is added to that role. 4Click Workflow, then select Enable workflow for this application. Introduction to application management 154

155 5Click Add (above) and select an Approver Type from the list (below). 6Click Add again to finish adding the approver type to the list. 7If you want to have more than one approval before access to the app is granted, repeat the previous two steps. Adding steps can be repeated as many times as desired to reflect the required steps in your approval process. Note When multiple approval steps are added, approval is needed from all listed approvers before access is granted. A rejection at any level results in the request being rejected. If the requester s manager is not known, the request proceeds to the next step as though it had been approved. The next approver in the list is notified that the manager was not known, and therefore there has not yet been any approval or rejection of the request. Note The first approver is the only one who can choose which role the user is added to. Applications User Guide 155

156 Note If the manager is the first approver and the requester does not have a manager, the requester will be placed into the first role in the role list if the app request is approved. 8In the Requestor Assignable Roles area, select one or more roles from the list of roles with access to the application. The roles you select determine the roles available to the approver to choose from at approval time. For example, if you selected the Sales and Support roles in Configuring Workflow, you can make both of these roles available for a requester to be assigned if the access request for the application is approved. The approver can then decide which role to add the user to when responding to the request. Note Upon approval, users will have access to any applications already assigned to that role. Create a dedicated role for this application if you do not want users to gain access to additional applications. 9Click Save. After you have configured the workflow for an application, users can request access to the application through the User Portal. Introduction to application management 156