SSO: Centrify

This article describes how to configure Centrify as your workplace's single sign-on identity provider (IdP). This process involves making modifications to your Centrify environment as well as your digital workplace. Once complete, users of your digital workplace will be able to sign in to it using their Centrify credentials.

To follow this process, you must be able to add applications to your Centrify environment and be a workplace administrator in your digital workplace.

Sections in this article:

Configuring a Centrify single sign-on application

Follow these steps to configure a SAML app in your Centrify environment:

  1. In your Centrify portal, select Apps.
  2. Select Add Web Apps.

    The Add Web Apps button.

  3. Search for Igloo .
  4. Next to Igloo SAML, select Add.

    The Igloo Web App.

  5. Confirm this selection.

    The add app confirmation window.

  6. Enter the URL of your digital workplace as follows:
    • If your digital workplace is a subdomain of, enter the subdomain in the Your Subdomain on Igloo text box located on the Settings page. Save this change.

      The subdomain field.

    • If you digital workplace uses a custom URL, change the value of the Service URL located in the Custom Logic section of the SAML Response page. The Service URL should be your digital workplace URL with /saml.digest appended to it. For example: var ServiceUrl = '';. Save this change.
  7. Go to the app's SAML Response page.
  8. Add the following attributes:
    • FName - LoginUser.FirstName
    • LName - LoginUser.LastName
    • Email - LoginUser.Email

      The attributes sent in the SAML response.

  9. Go to the app's User Access page.
  10. Add the roles that represent users and groups that should have access to this application.

    The user access page.

  11. On the Account Mapping page, select the Directory Service Field and enter mail into the Directory Service field name text box.

    The Directory Service field name.

  12. Go to the app’s Trust page.
  13. Select Manual Configuration and copy the following following values to a safe location. These will be used to configure SSO in your digital workplace:
    • IdP Login URL
    • IdP Logout URL
    • Signing Certificate

      The Trust page.

Configuring your digital workplace's single sign-on

  1. Go to your digital workplace and sign in.
  2. Select  Control Panel.
  3. Under Membership, select Sign In Settings.
  4. Select Configure SAML Authentication.
  5. Configure the settings as described in the Configuration settings table below.
  6. Select Save.
Setting Description
Connection Name Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button.
IdP Login URL

Copy and paste the IdP Login URL URL from the Centrify set-up instructions into this field.

IdP Logout URL Copy and paste the IdP Logout URL from the Centrify configuration instructions into this field.
Logout Response and Request HTTP Type Select POST.
Logout Final Redirect URL Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. 
Binding Type

Select POST.

Public Certificate

Copy and paste the Signing Certificate from the Centrify set-up instructions into this field. You will need to open the certificate file using a text editor.

Identity Provider

Select Centrify.

Identifier Type

Select Email Address.

Email Attribute

Enter Email.

First Name Attribute

Enter FName

Last Name Attribute

Enter LName

Drift Time

Enter 5.

User creation on Sign in

Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace.

Options include:

  • Create a new user in your site when they sign in (Users will be added to manage members on sign in)
  • Do not create new users when they sign in (Users not in manage members will be denied access)

When creating new users in your digital workplace this way, they will be created with the following details:

  • First Name (from First Name Path)
  • Last Name (from Last Name Path)
  • Email Address (from Email Path) 
  • CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier) 
  • Membership to the All Members group.

If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).

If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.

Sign in Settings

Select how users sign in to your workplace.

Options include:

  • Use SAML button on "Sign in" screen
  • Redirect all users to IdP

For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly.

Configuration settings