Skip to main content

CyberArk (SP-initiated) SAML integration

Updated 5/1/2023

This topic covers how to integrate the CyberArk Password Vault application in the SecureAuth® Identity Platform to securely allow the right user access to CyberArk applications in your organization.

Prerequisites

  • CyberArk Password Vault Server 9.2 or later

  • Identity Platform release 19.07 or later

  • Have a defined user login authentication policy in the Identity Platform

  • Have an integrated data store in the Identity Platform

Identity Platform configuration

In this section, you'll add an application for CyberArk Password Vault and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. On the left side of the Identity Platform page, click Application Manager.

    app_mgr_001_23_07.png

  2. Click Add an Application.

    The application template library page displays.

  3. From the list of application templates, search for and select CyberArk Password Vault.

    CyberArk_SAML_2.png

  4. On the Applications Details page, set the following configurations.

    Application Name

    Name is prefilled by default. You can optionally change the CyberArk Password Vault application name.

    The name displays in the Application Manager list and at the top of the Application Settings page.

    Application Description

    This is an internal description not shown to end users at login.

    Upload logo

    Optional. Click Upload to add a different logo for the CyberArk Password Vault application.

    Authentication Policy

    Select the login authentication policy for the CyberArk Password Vault application.

    Data Stores

    Enter the data stores to to authenticate and allow user access for the CyberArk Password Vault application.

    Start typing to bring up a list of data store names. You can enter more than one data store.

    Groups

    Use one of the following options:

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to the CyberArk Password Vault application.

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to the CyberArk Password Vault application.

    Tip

    Admins typically set it to Allow every group in your selected data stores access to this application.

    Otherwise, you could add specific user groups for user testing until making the switch over to more or all groups.

    Realm Number

    Optional. Select a different unused realm number to use for the CyberArk Password Vault application.

    CyberArk_SAML_3.png

  5. Click Continue.

    The Connection Settings page displays.

    CyberArk_SAML_5.png

  6. In the Configure Connection section, set the following configuration.

    Connection Type

    Set to SP Initiated – Starts the login process at the service provider / application, then redirects the user to the Identity Platform for authentication, and upon successful authentication, it finally asserts the user back to the application. The SAML specification allows for service providers to send authentication requests (AuthnRequest) to the Identity Platform either by HTTP Redirect or HTTP Post. The service provider configuration or metadata tells you what is used for the authentication request.

    And then set to one of the following:

    • By Redirect – Use HTTP Redirect binding to send the AuthnRequest with the signature related to the request.

    • By Post – Use HTTP Post binding to send the AuthnRequest with the embedded signature.

    Connection type

  7. In the User ID Mapping section, set the following configuration.

    User ID Profile Field

    Select the profile field in your data store that contains the CyberArk user IDs.

    For example, the CyberArk user ID field is mapped to Email 2 in the data store.

    Name ID Format

    Set to the unspecified format for sending the SAML response.

    cyberark_saml_001.png

  8. In the SAML Assertion section, set the following configurations.

    Upload Metadata

    If you have a preconfigured XML file with your SAML settings, select the Upload Metadata link at the bottom right of the page.

    Note

    To use the metadata upload feature, you must provide an issuer, map user ID values, and select a certificate to properly configure the connection.

    After the file is uploaded, review the prepopulated fields and make the necessary edits.

    IdP Issuer

    A unique name that must match exactly on the Identity Platform side and the CyberArk application side.

    This helps the CyberArk SAML application identify the Identity Platform as the SAML issuer.

    CyberArk Login URL

    The login URL to CyberArk Password Vault Server.

    For example, https://cyberark.company.com

    Assertion will be valid for

    Indicate in hours and minutes, how long the SAML assertion is valid. It is referred to as SAML NotOnOrAfter in the SAML Specifications.

    The default setting is one hour, but for more sensitive application resources, the recommended value is between one to five minutes.

    Offset Minutes

    Indicate in minutes to account for the time differences among devices. This is referred to as SAML NotBefore in the SAML Specifications.

    Recommended value is five minutes.

    IdP Signing Certificate

    Click Select Certificate, choose the IdP signing certificate to use, and then click Select to close the box.

    IdP Signing Certificate Serial Number

    When you select an IdP signing certificate, the serial number populates this field.

    Signing Algorithm

    The signing algorithm digitally signs the SAML assertion and response.

    Choose the signing algorithm – SHA1 or SHA2 (slightly stronger encryption hash and is not subject to the same vulnerabilities as SHA1).

    Sign SAML Assertion

    Enable signing of the SAML assertion to ensure assertion integrity when the assertion is delivered to the service provider (SP).

    Sign SAML Message

    Enable signing of the SAML message to ensure message integrity when the message is delivered to the service provider (SP).

    Encrypt SAML Assertion

    Enable encryption of the SAML assertion if only the service provider and the Identity Platform should understand the assertion. Next, select the data and key encryption methods:

    • Data Encryption Method – Select the algorithm of the data encryption method

    • Key Encryption Method – Select the type of key encryption method (symmetric or asymmetric)

    saml_app_007_20_06.png

  9. Click Add Application.

    After it saves the application, the Information for Service Providers page appears. You will need this information to complete the configurations on the CyberArk side.

    CyberArk_SAML_Info_for_SP.png

    This page contains information you will need to complete the CyberArk side of the configuration.

  10. To complete the integration and establish a working connection with SecureAuth, provide the following information as required on the CyberArk side as the service provider.

    Login URL, Logout URL, IdP Issuer

    Click Copy to Clipboard to copy the Identity Platform realm information and paste it in the corresponding field on the service provider user interface, as required.

    IdP Signing Certificate

    Download the IdP Signing Certificate.

    Download Metadata

    To download the metadata file:

    1. Click Download Metadata.

    2. Enter the Domain name to the Identity Platform appliance URL or IP address.

      For example, https://secureauth.company.com or https://111.222.33.44

      Metadata file download

    3. Click Download to get the configuration file.

    4. Upload the file to the service provider.

  11. Click Continue to Summary to review the application settings.

    CyberArk_SAML_Summary.png

  12. Click Back to Application Manager at the top of the page to find the CyberArk application added to the list.

CyberArk Password Vault configuration

In this section, you'll configure CyberArk Password Vault as a service provider (SP).

  1. Log in to the CyberArk Password Vault admin console, and click the wrench icon to open Administration.

    CyberArk1.png

  2. In the left navigation, expand Authentication Methods and select SAML.

  3. In the SAML Properties, set the following configurations.

    Enabled

    Set to Yes.

    LogoffUrl

    Set the LogoffURL to any preferred URL, such as the SecureAuth Identity Platform logoff page.

    For example, https://secureauth.company.com/secureauth2/restart.aspx or the company homepage.

    cyberark2.png

  4. Click Apply.

  5. In the left navigation, expand PIM Suite Configuration, right-click Access Restriction, and select Add AllowedReferrer.

    cyberark3.png

  6. Set the BaseUrl to the base URL of the IdentityProviderLoginURL.

    For example, if the IdentityProviderLoginURL is https://secureauth.company.com/secureauth2, then the BaseUrl would be https://secureauth.company.com.

  7. Click OK.

  8. Stop the CyberArk Password Vault Web Access by going to the command line and entering iisreset -stop.

  9. Go to the C:\inetpub\wwwroot\PasswordVault directory, find and back up the web.config file.

  10. Add the SAML configuration values in the CyberArk Password Vault web.config file in the <appsettings> section:

    <add key="IdentityProviderLoginURL" value="https://secureauth.company.com/SecureAuth1" />
<add key="IdentityProviderCertificate" value="<FULL CERT VALUE>" />
<add key="Issuer" value="UniqueName" />

    • Replace https://secureauth.company.com/SecureAuth1 with the actual Fully Qualified Domain Name (FQDN) of the SecureAuth Identity Platform instance and the CyberArk-integrated realm name.

    • Replace <FULL CERT VALUE> with the actual certificate value from the IdP Signing Certificate in the Identity Platform in Step 10.

      Warning

      The certificate value must be in base64 format and pasted as a single line.

    • Replace UniqueName with the actual IdP Issuer value set in the Identity Platform in Step 8.

  11. Save the web.config file.

  12. Start the CyberArk Password Vault Web Access by going to the command line and entering iisreset -start.

In this section: