1Kosmos integrates with Centrify (now the Delinea Platform) as a SAML 2.0 identity provider, replacing password-based privileged access login with biometric authentication.
Integration type
Auth/IDP
Overview
Centrify, now operating as Delinea, provides privileged access management through the Delinea Platform and Delinea Secret Server. Both products support SAML 2.0 and OIDC for identity provider integration. This integration configures 1Kosmos as the SAML 2.0 identity provider for the Delinea Platform, allowing privileged users and administrators to authenticate biometrically through 1Kosmos before gaining access to vaulted credentials and managed sessions.
What we solve
Privileged access teams using Centrify/Delinea need to protect access to vaulted secrets and privileged sessions with stronger proof of user identity than passwords, reducing credential theft and unauthorized elevation. This integration configures 1Kosmos as the SAML 2.0 identity provider for the Delinea Platform/Secret Server so privileged users authenticate biometrically before accessing privileged resources.
The Delinea Platform supports both SP-initiated and IdP-initiated SSO. The SAML configuration is performed through the Delinea Platform admin console under federation or SSO settings. Secret Server has its own SAML configuration path under Administration → Configuration → SAML. Both can use the same 1Kosmos IdP configuration but require separate application entries in AdminX.
Users must exist in both the 1Kosmos directory and the Delinea product with matching email addresses before SSO can be tested.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Delinea Platform or Secret Server administrator access: Admin rights to configure federation and SSO settings in your Delinea deployment.
User accounts aligned: Users must exist in both 1Kosmos and the Delinea product with matching email addresses before testing.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Delinea:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from Delinea (SP) for AdminX:
Field | Where to find it |
|---|---|
ACS URL | Delinea Platform federation settings or Secret Server SAML configuration page |
SP Entity ID | Same settings page as the ACS URL |
SP Login URL | Your Delinea Platform or Secret Server login URL, used as the Application Access URL in AdminX |
Integration steps
Step 1: Configure 1Kosmos as the IdP in the Delinea Platform
Log in to the Delinea Platform admin console and navigate to the federation or SSO settings. The exact path is Settings → Federation in most Delinea Platform deployments.
Select Add Identity Provider or the equivalent option to create a new SAML IdP entry.
Upload the 1Kosmos SAML metadata XML or manually enter the SSO URL, Entity ID, and signing certificate from AdminX.
Note the ACS URL and SP Entity ID generated or displayed by Delinea for use in AdminX.
Save the configuration.
Step 2: Add the Delinea product as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Delinea Platform" (or "Centrify") as the Application Name, set Instance to Production, and enter the Delinea login URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the Delinea SP Entity ID and ACS URL. Set Method to POST, enable Assertion signing, and click Save.
Step 3: For Delinea Secret Server (additional configuration)
If configuring Secret Server separately, log in to Secret Server and navigate to Administration → Configuration → SAML.
Enable SAML SSO and upload the 1Kosmos metadata or enter the IdP details manually.
Note the Secret Server ACS URL and Entity ID for a separate AdminX application entry following the same steps as Step 2, with "Delinea Secret Server" as the Application Name and the Secret Server login URL as the Application Access URL.
Step 4: Test the integration
Navigate to the Delinea Platform or Secret Server login URL.
Select the SSO login option. You will be redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to Delinea as an authenticated user with the correct access entitlements.
Test with a single privileged user before enabling SSO for the broader user base.
Attribute mappings
Source (1Kosmos) | Target (Delinea) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary identifier; must match the Delinea user account email |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
Centrify rebranded to Delinea in 2022. The integration described here applies to the Delinea Platform (formerly Centrify Cloud) and Delinea Secret Server (formerly Centrify Privilege Manager / Thycotic Secret Server post-merger).
If your deployment still uses Centrify product branding, the federation configuration path and underlying SAML mechanics are the same.
Contact your Delinea representative or visit docs.delinea.com for the most current configuration screens if your console layout differs from what is described here.
