Centrify SSO

Centrify SSO is a cloud service that allows you to track ingress authentication events and produce documents for those events in order to protect against privileged access abuse.

At this time, InsightIDR only tracks password authentications through your Centrify data. After you complete the configuration, this event source fetches data every two minutes.

Before You Begin

Use an Admin account to connect to InsightIDR with API permissions to query the redrock/query and /security endpoints. Read more about the Centrify API here: https://developer.centrify.com/reference

You must also gather the following information from your Centrify application:

  • TenantID
  • User
  • Password

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Centrify in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Centrify event source tile.
  4. Select your collector and Centrify from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  8. Select your Centrify credentials, or optionally create a new credential for the Admin account used for the Centrify API.
  9. In the “Tenant ID” field, enter the tenant ID for your Centrify appliance. For example, if your Centrify URL is tentantID.my.centrify.com, your tenant ID is tentantID.
  10. Configure your default domain.
  11. Click Save.