Configure authentication

This topic describes the authentication methods you can configure for accessing applications from Remote Access.

Configure SAML authentication

PVWA uses the Remote Access service as a SAML identity provider (IDP), so that user authentication from Remote Access is accepted by PVWA.

You can configure SAML authentication on the Applications page.

  1. When you create a new application, set SAML as the authentication method. For more details, see Add applications.

  2. In the application tile, click the More actions button and select Show configuration.

    The application configuration displays the SAML configuration parameters that you need to configure Remote Access as a SAML IdP for PVWA. Display the configuration for your version of PVWA.

This procedure describes how to configure SAML authentication forPVWA v11.3 or later.

  1. On the PVWA machine, copy saml.config.template from C:\inetpub\wwwroot\PasswordVault\saml.config.template and rename it to saml.config.

  2. Open the new saml.config file, and add the information that you displayed in Remote Access > Show configuration.

    For example:

     

    <?xml version="1.0" encoding="UTF-8"?> <SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration"> <ServiceProvider Name="11ea943261bb6d07996f092e4e0da096.App.Saml" Description="PasswordVault Service Provider"/> <PartnerIdentityProviders> <PartnerIdentityProvider Name="https://auth.alero.io/auth/realms/users" SingleSignOnServiceUrl="https://auth.alero.io/auth/realms/users/protocol/saml"> <PartnerCertificates> <Certificate String="MIICmTCCAYECBgFoI5DDezANBg8+qW4L2NvxlSiJav7EqX00wknK2TuXwj1g7uBMi03g9N95"/> </PartnerCertificates> </PartnerIdentityProvider> </PartnerIdentityProviders> </SAMLConfiguration>

  3. Save the saml.config file and close it.

  4. In PVWA, go to ADMINISTRATION > Configuration options > Options > Authentication Methods > Methods > saml and set the following property:

    Parameter

    Description

    Enable

    Set this value to Yes.
  5. Click Apply and then OK to save the changes.

  6. This step is relevant if you have upgraded to PVWA v11.3 or later, and you are migrating manually from the previous SAML integration (PVWA v11.2 or earlier).

    In the PasswordVault installation folder, open the web.config file and, in the appSettings tag, check if the UseNewSAMLSolution parameter is listed and is set to yes.

     

    <appsettings>
    <add key="UseNewSAMLSolution" value="Yes" />
    </appsettings>

  7. Save the web.config file and close it.

For more information, see SAML authentication in the latest PAM - Self-Hosted docs.

SAML authentication for PVWA is configured in the Password Vault web.config file, which contains the configuration parameters for PVWA web application.

  1. In the PasswordVault installation folder, open the web.config file. The full default path is C:\inetpub\wwwroot\PasswordVault\web.config.

  2. In the appSettings tag, add the information that you displayed in Remote Access > Show configuration.

    For example:

     

    <add key="Issuer" value="11e9fbc3a165ac1ba2148f8008b54781.App.Saml"/> <add key="IdentityProviderLoginURL" value="https://auth.alero.io/auth/realms/users/protocol/saml"/> <add key="IdentityProviderCertificate" value="MIIEmTCCAoECBgFtbPOtDzANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAV1c2VyczAeFw0x="/>
    <add key="UseNewSAMLSolution" value="no" />

  3. In PVWA, go to ADMINISTRATION > Configuration options > Options > Authentication Methods > Methods > saml and set the following property:

    Parameter

    Description

    Enable

    Set this value to Yes.
  4. Click Apply and then OK to save the changes.

Configure OpenID authentication

PVWA enables organizations to authenticate users to the Enterprise Password Vault. This authentication module supports authentication via an OpenID identity layer for Remote Access users.

 

OpenID authentication from Remote Access is supported on PVWA v11.2 or later.

Configure OpenID with Remote Access

You can configure OpenID authentication on the Applications page.

  1. When you create a new application, set OpenID as the authentication method. For more details, see Add applications.

  2. In the application tile, click the More actions button and select Show configuration.

Select PVWA version 11.6 and later, and follow the configuration instructions.

When you complete the configuration, select the checkbox to verify that the configuration script ran successfully, and click Finish.

If you are using PVWA v14.0 or higher already configured with OpenID, you need to replace the OpenID configuration with this configuration.

Select PVWA version 11.5 and earlier.

The application configuration displays the OpenID configuration parameters that you need to copy and paste into a Vault account, and then reference in the PVWA web.config file to configure Remote Access as the OpenID provider, as described below.

Step 1: Configure PVWA access

  1. Log in to the PVWA server via RDP with an administrative account.

  2. Navigate to the PVWA directory. By default, this is C:\inetpub\wwwroot\PasswordVault.

  3. Open the web.config file with a text editor. For example, Notepad.

  4. Under the <appSettings> section, add the following items at the bottom (taken from the Remote Access configuration parameters shown above):

      
    <add key="OpenIDAleroMode" value="ImplicitFlow" />

<add key="OpenIDAleroIdentityProviderClientId" value="CLIENT_ID" />

<add key="OpenIDAleroIdentityProviderAuthorizationEndpointURL" value="URL" />

<add key="OpenIDAleroIdentityProviderIssuer" value="ISSUER" />

<add key="OpenIDAleroIdentityProviderKeys" value="KEYS" />

  5. Under the <modules> section, add the following item above CyberArkGatewayModule:

      
    <add name="OpenIDAleroAuth" type="Cyberark.Extensions.OpenId.Alero.OpenIdAuthentication, Cyberark.Extensions.OpenId.Alero" preCondition="managedHandler" />

  6. In the <runtime> section, in the <dependentAssembly> for the Newtonsoft.json <assemblyIdentity>, set the <bindingRedirect>:

      
    <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="11.0.0.0" />

    Overwrite any previous Newtonsoft.json entry.

  7. Save the changes.

Step 2: Install the OpenID Remote Access Authentication Module

  1. Download the OpenId.RemoteAccess zip file and unpack it. This package enables Remote Access to use OpenID to authenticate users to PVWA.

    • For PVWA 11.2 - 11.5: Use DLL v1.2 from the .zip.

  2. From the OpenId.RemoteAccess.zip package, copy the Cyberark.Extensions.OpenId.Alero.dll into the following locations on the PVWA machine:

    • C:\inetpub\wwwroot\PasswordVault\Bin

    • C:\inetpub\wwwroot\PasswordVault\CustomAuthenticationDlls

    If the CustomAuthenticationDlls folder doesn't exist, create it now.

Step 3: Add an additional authentication method to PVWA

  1. Log in to PVWA via HTTPS as an administrative user, and go to ADMINISTRATION > Configuration Options > Options > Authentication Methods > Methods > saml and set the following properties:

    Property

    Value

    Id

    openid

    This value is case-sensitive and must be all lowercase. Note that this value is not taken from the DLL file name.

    DisplayName

    OpenID Remote Access

    Enabled

    Yes

    LogoffUrl

    US: https://auth.alero.io/auth/realms/users/protocol/openid-connect/logout

    EU: https://auth.alero.eu/auth/realms/users/protocol/openid-connect/logout

  2. Click Apply and then OK to save the changes.

Troubleshooting

The Remote Access OpenID authentication module writes information in the following log files on the PVWA server:

  • C:\Windows\Temp\PVWA\CyberArk.WebApplication.log

  • C:\Windows\Temp\PVWA\CyberArk.WebSession.<session>.log