Add applications

This topic describes how to add applications that users and vendors can access through Remote Access.

Overview

Applications are what is provisioned to a vendor or user. The application provisioned provides access to the PVWA. You can set up multiple applications per site, as necessary.

Examples of when you might want to set up multiple applications:

• Applications that use different authentication methods (SAML, OpendID, or none).

• Different Vault environments (Production, Dev, Test, other).

Before you begin

Before you can add applications, make sure you added at least one site.

Add applications

1. Go to the Sites page and click Add application for the site you want to add an application to.

   

2. Enter the following details:

   Details	Description
   Application name	The name of the application that users can access through this Remote Access tenant. This name appears on the application tile end users will access.
   Authentication method	The authentication method that Remote Access uses to authenticate users to the PVWA. Choose from the following options: SAML - Use the Remote Access service as a SAML identity provider (IDP) to authenticate users to the PVWA. For details, see Configure SAML authentication. OpenID - Enable Remote Access users to authenticate to applications via an OpenID identity layer. For details, see Configure OpenID authentication. None - Direct the user to the PVWA login page where they provide existing login credentials. This user must have credentials to an existing Vault account.
   Internal URL	The URL within your network that Remote Access connects to when users authenticate. To enable users to connect to the PVWA, specify the PVWA URL using the following syntax: https://[PVWAADDRESS]
   Ignore/Check Application Certificate	The Remote Access connector can validate the certificate received from the internal URLs before transmitting the session out through the secure tunnel. This is an optional setting. For more information about certification validation, see (Optional) Validate the certificate. below.
   External URL	The URL that is displayed to users. This contains the application name, alias name, and the Remote Access domain name.
   Add nested URL	The URL of an internal application. To enable users to connect to target computers through the PSM HTML5 gateway, set the internal URL of the PSM HTML5 gateway using the following syntax: https://[PSMHTML5GWADDRESS]
   CyberArk PAM - Self-Hosted user logon name (for company user access)	The internal property of the user account that identifies the user's Vault name in PAM - Self-Hosted. By default for Privilege Cloud tenants, this is set to userprinciplename.

3. (Optional) Validate the certificate.

   You can verify that connections to the Internal Application (PVWA) and Nested Application (PSM HTML5 GW) are secured with a specific SSL certificate before a user session is passed out of the internal network via the secure Remote Access tunnel.

   Certificate requirements

   Each certificate must meet the following criteria:

   • It must match the signing certificate of the intended application

   • It must be Base-64 encoded X.509. (.cer or .pem extension)

   • It must be the Public CA or the root certificate that was used to sign the App/Nested App (PVWA/PSM HTML5GW) certificates.

   Select or add a certificate

   • Click Check application certificates and select the certificate to use.

     

   OR

   1. Click Check application certificates then click Manage certificates > Add new certificate.

      

   2. Assign a meaningful name to this certificate and then click Upload certificate to open a browser window and select the relevant certificate.

      

   Make sure that the correct certificate is selected in the Check application certificate or Check nested application certificate field, depending on which certificate you are currently setting.

   

4. Click Add application to add the new application to the Remote Access portal.

Test the connection to the PVWA

After you have defined a connection to a PVWA, you can check the connection with a Remote Access test user.

Initially, Remote Access assigns the AleroTestUser username to all tenant admin users. After you set your Active Directory credentials in the CyberArk Mobile app, the connection is tested with your company name.

1. Log in to the CyberArk Digital Vault and create a user called AleroTestUser. Assign this user permissions in the Safes that users will access through the Remote Access portal, so that you can test the Remote Access connection.

   

2. In the Remote Access portal, on the Applications page, click the More actions button on an application tile and then click Connect.

   

3. Confirm the username and click Connect to be directed to the PVWA.

Admin actions for applications

The Applications page displays a list of all the applications that you can access through Remote Access and the number of sessions that were active during the last hour.

For each application, the admin can perform the following actions from the More actions menu on the application tile.

Action	Description
Connect	Open a username field and test the newly created connection to the application with the provided username.
Invite Vendor	Open the Invite Vendor form. For more details, see Invite Vendors.
Show configuration	Open the application-specific authentication information that is used to configure Remote Access for the PVWA application. For more information, see Configure authentication.
Hide	Deactivate the application manually. Invited vendors will no longer be able to access the application.