Configure authentication

This topic describes the authentication methods you can configure for accessing applications from Remote Access.

Configure SAML authentication

PVWA uses the Remote Access service as a SAML identity provider (IDP), so that user authentication from Remote Access is accepted by PVWA.

Configure OpenID authentication

PVWA enables organizations to authenticate users to the Enterprise Password Vault. This authentication module supports authentication via an OpenID identity layer for Remote Access users.

 

OpenID authentication from Remote Access is supported on PVWA v11.2 or later.

Configure OpenID with Remote Access

You can configure OpenID authentication on the Applications page.

  1. When you create a new application, set OpenID as the authentication method. For more details, see Add applications.

  2. In the application tile, click the More actions button and select Show configuration.

Select PVWA version 11.6 and later, and follow the configuration instructions.

When you complete the configuration, select the checkbox to verify that the configuration script ran successfully, and click Finish.

If you are using PVWA v14.0 or higher already configured with OpenID, you need to replace the OpenID configuration with this configuration.

Select PVWA version 11.5 and earlier.

The application configuration displays the OpenID configuration parameters that you need to copy and paste into a Vault account, and then reference in the PVWA web.config file to configure Remote Access as the OpenID provider, as described below.

Step 1: Configure PVWA access

  1. Log in to the PVWA server via RDP with an administrative account.

  2. Navigate to the PVWA directory. By default, this is C:\inetpub\wwwroot\PasswordVault.

  3. Open the web.config file with a text editor. For example, Notepad.

  4. Under the <appSettings> section, add the following items at the bottom (taken from the Remote Access configuration parameters shown above):

     
    <add key="OpenIDAleroMode" value="ImplicitFlow" />
    
    <add key="OpenIDAleroIdentityProviderClientId" value="CLIENT_ID" />
    
    <add key="OpenIDAleroIdentityProviderAuthorizationEndpointURL" value="URL" />
    
    <add key="OpenIDAleroIdentityProviderIssuer" value="ISSUER" />
    
    <add key="OpenIDAleroIdentityProviderKeys" value="KEYS" />
  5. Under the <modules> section, add the following item above CyberArkGatewayModule:

     
    <add name="OpenIDAleroAuth" type="Cyberark.Extensions.OpenId.Alero.OpenIdAuthentication, Cyberark.Extensions.OpenId.Alero" preCondition="managedHandler" />
  6. In the <runtime> section, in the <dependentAssembly> for the Newtonsoft.json <assemblyIdentity>, set the <bindingRedirect>:

     
    <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="11.0.0.0" />

    Overwrite any previous Newtonsoft.json entry.

  7. Save the changes.

Step 2: Install the OpenID Remote Access Authentication Module

  1. Download the OpenId.RemoteAccess zip file and unpack it. This package enables Remote Access to use OpenID to authenticate users to PVWA.

    • For PVWA 11.2 - 11.5: Use DLL v1.2 from the .zip.

  2. From the OpenId.RemoteAccess.zip package, copy the Cyberark.Extensions.OpenId.Alero.dll into the following locations on the PVWA machine:

    • C:\inetpub\wwwroot\PasswordVault\Bin

    • C:\inetpub\wwwroot\PasswordVault\CustomAuthenticationDlls

    If the CustomAuthenticationDlls folder doesn't exist, create it now.

Step 3: Add an additional authentication method to PVWA

  1. Log in to PVWA via HTTPS as an administrative user, and go to ADMINISTRATION > Configuration Options > Options > Authentication Methods > Methods > saml and set the following properties:

    Property

    Value

    Id

    openid

    This value is case-sensitive and must be all lowercase. Note that this value is not taken from the DLL file name.

    DisplayName

    OpenID Remote Access

    Enabled

    Yes

    LogoffUrl

    US: https://auth.alero.io/auth/realms/users/protocol/openid-connect/logout

    EU: https://auth.alero.eu/auth/realms/users/protocol/openid-connect/logout

  2. Click Apply and then OK to save the changes.

Troubleshooting

The Remote Access OpenID authentication module writes information in the following log files on the PVWA server:

  • C:\Windows\Temp\PVWA\CyberArk.WebApplication.log

  • C:\Windows\Temp\PVWA\CyberArk.WebSession.<session>.log