Configure CyberArk Identity SSO integration

This topic describes how to configure Remote Access integration with CyberArk Identity.

Overview

Users with this integration can utilize CyberArk Identity's authentication management features to reach privileged targets protected inside the CyberArk Vault, PVWA, and other elements of PAM - Self-Hosted.

On the Sites page, the sites that can be accessed through CyberArk Identity are marked with the CyberArk Identity icon.

Before you start

Contact your CyberArk account representative to enable Remote Access integration with CyberArk Identity. For details, see the CyberArk Identity documentation.

Before you begin

Before you can configure integration with CyberArk Identity, make sure your system meets the following requirements:

Upgrade all the Remote Access connectors in your system to at least 1.0.8901. For details, see Upgrade connectors.

Deactivate any other external IdP integrations.

Configure CyberArk Identity integration

In the Remote Access portal, click Settings > User management sources , and select Identity SSO.

Log onto the CyberArk Identity portal and find the following values, then copy them into the CyberArk Identity SSO integration settings in Remote Access:

Setting	Description
CyberArk Identity URL	Enter the URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud. The URL can be found in the CyberArk Identity Admin Portal. Go to Settings > Customizations > Tenant URLs. You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported. To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,
CyberArk Identity username suffix	Enter the login suffix selected for the Remote Access integration service user in the CyberArk Identity Admin Portal. Go to Core Services > Users, then search for alero-integration-user and verify the suffix. For more information about the login suffix, see Manage login suffixes.
CyberArk Identity password	The password for the Remote Access integration service user. To set the password, go to Core Services > Users, then right-click alero-integration-user and select Set password.

Setting

Description

CyberArk Identity URL

Enter the URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud.

The URL can be found in the CyberArk Identity Admin Portal. Go to Settings > Customizations > Tenant URLs.

You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported.

To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,

CyberArk Identity username suffix

Enter the login suffix selected for the Remote Access integration service user in the CyberArk Identity Admin Portal.

Go to Core Services > Users, then search for alero-integration-user and verify the suffix.

For more information about the login suffix, see Manage login suffixes.

CyberArk Identity password

The password for the Remote Access integration service user.

To set the password, go to Core Services > Users, then right-click alero-integration-user and select Set password.

Click Apply to connect to the tenant through CyberArk Identity.

When you link your Remote Access and CyberArk Identity tenants, some of your data is shared between the tenants. If you have previously selected a different data center for the two tenants, this results in data being transferred from one region to another.

Click Proceed to continue.

When the tenant is connected successfully, the following details appear below the settings:

Details	Description
Company name	The name of the company whose Remote Access system has been integrated with CyberArk Identity.
Tenant URL	The URL of the tenant in CyberArk Identity.
Region	The data center where this tenant was created.
Status	Whether or not all Remote Access users and applications are synchronized with CyberArk Identity.

Manually synchronize with CyberArk Identity

Remote Access automatically synchronizes users and applications with CyberArk Identity, without any human intervention. However, when these users and applications are not synchronized, you can initiate a manual synchronization.

In the Remote Access portal, at the bottom of the Settings - CyberArk Identity page, click Manual sync.

Set enforcement

You can enforce user log in only via CyberArk Identity SSO. When disabled, users can log in via CyberArk Identity SSO or using a QR scan.

Set user credentials re-authentication

You can set a time interval for when users need to re-authenticate their user credentials.

Default is set to every 30 days.

Vendor access to CyberArk Identity web applications

When activated, enables the option in the Invite vendor form to allow access to web application protected by CyberArk Identity SSO and Secure Web Sessions.

To allow specific vendors to access CyberArk Identity applications, go to the Vendors invitation form.

Access the CyberArk Identity portal

As an administrator, you can access the CyberArk Identity portal directly from the Remote Access portal.

In the Remote Access portal, click the Remote Access name at the top of the menu, then click the CyberArk Identity icon.