Cyber Risk Aware supports the OIDC federation protocol for SSO integration with Centrify. The configuration steps for setting up this integration are listed below. It is broken into 2 steps :-
- Register Application in your Centrify administration portal.
- Update Authentication Settings in your Cyber Risk Aware portal.
Register Application in Centrify Admin Portal
The first step is to register the Cyber Risk Aware application within your Centrify portal. This will generate an application id and allow for your application to receive security tokens. Basically when the Cyber Risk Aware application provides the generated application ID during the authentication flow, Centrify will provide a level of trust by providing the authenticated security token to Cyber Risk Aware to progress with login. The steps involved in registering the application are listed below:-
- Sign in to your Centrify admin portal.
- Within the main navigation, select Web Apps
- Click the button Add Web Apps
- Click the Custom tab and select the Add button next to OpenID Connect
- Click yes to create the application.
- Give the application a name such as CRA
- Select the trust tab. In this tab, make note of the Client ID, Client Secret and Issuer URL. These fields will be needed when configuring the application on the Cyber Risk Aware portal.
- Still within the trust tab, add the Resource Application URL : https://{your-company-name}.cyberriskaware.com
- Still within the trust tab, add the Authorized Redirect URIs:
- https://{your-company-name}.cyberriskaware.com
- https://{your-company-name}.cyberriskaware.com/auth/osignedin
- Click Save
- Within the tokens tab, overwrite the script content with the script below.
/* SCRIPT START*/
setIssuer(Issuer);
// Claims "email" & "email_verified" will only be set
// if "email" is specified in scope.
var email = LoginUser.Email;
setClaim('email', email);
setClaim('name', email);
setClaim('preferred_username', email);
setClaim('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier', email);
setClaim('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', email);
// Script End
- Click Save
- In order to allow users in your centrify directory to have access to the Cyber Risk Aware application, navigate to roles and select the roles you wish to give access to - we will use Everyone in this example.
- Select the role, and select Assigned applications. Assign the CRA application to the role and click save.
- Navigate back to the application registration in the Web Apps tab. Select the CRA application and then the permissions tab.
- Check the Grant checkbox next to the role and click Save. This completes the registration on the Centrify portal.
Configuration on Cyber Risk Aware
The last step is to add the minimal configuration needed to your Cyber Risk Aware portal.
- Login to your Cyber Risk Aware portal as an administrative user.
- From the menu on the left, select Configuration and then Authentication Settings
- From the Authentication Type drop-down, select OpenID.
- For each of the fields, provide the values:
- Post logout redirect URI : https://{your domain name}.cyberriskaware.com/auth/osignedin
- Redirect URI: https://{your domain name}.cyberriskaware.com/auth/osignedin
- Authority: Your Issuer URI from the Centrify admin portal.
- Client Id: This should be the Client Id field you will have been provided with from the Centrify application registration. See above.
- Client Secret: This should be the Client Secret field you will have been provided with from the Centrify application registration. See above.
- Domain Hint: your-domain.com
- Username Claim: This will default to preferred_username but can be updated to a claim of your choosing, for example the UPN claim would be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
- Click Save
This concludes the setup. Please note that it may take one day for the changes to take effect,