Add applications

This topic describes how to add applications that users and vendors can access through Remote Access.


Applications are what is provisioned to a vendor or user. The application provisioned provides access to the PVWA. You can set up multiple applications per site, as necessary.

Examples of when you might want to set up multiple applications:

  • Applications that use different authentication methods (SAML, OpendID, or none).

  • Different Vault environments (Production, Dev, Test, other).

Before you begin

Before you can add applications, make sure you added at least one site and installed a connector.

Add applications

  1. Go to the Sites page and click Add application for the site you want to add an application to.

  2. Enter the following details:



    Application name

    The name of the application that users can access through this Remote Access tenant. This name appears on the application tile end users will access.

    Authentication method

    The authentication method that Remote Access uses to authenticate users to the PVWA.

    Choose from the following options:

    • SAML - Use the Remote Access service as a SAML identity provider (IDP) to authenticate users to the PVWA. For details, see Configure SAML authentication.

    • OpenID - Enable Remote Access users to authenticate to applications via an OpenID identity layer. For details, see Configure OpenID authentication.

    • None - Direct the user to the PVWA login page where they provide existing login credentials. This user must have credentials to an existing Vault account.

    Internal URL

    The URL within your network that Remote Access connects to when users authenticate. To enable users to connect to the PVWA, specify the PVWA URL using the following syntax: https://[PVWAADDRESS]

    Ignore/Check Application Certificate

    The Remote Access connector can validate the certificate received from the internal URLs before transmitting the session out through the secure tunnel. This is an optional setting.

    For more information about certification validation, see (Optional) Validate the certificate. below.

    External URL

    The URL that is displayed to users. This contains the application name, alias name, and the Remote Access domain name.

    Add nested URL

    The URL of an internal application.

    To enable users to connect to target computers through the PSM HTML5 gateway, set the internal URL of the PSM HTML5 gateway using the following syntax: https://[PSMHTML5GWADDRESS]

    CyberArk PAM - Self-Hosted user logon name (for company user access)

    The internal property of the user account that identifies the user's Vault name in PAM - Self-Hosted.

    By default for Privilege Cloud tenants, this is set to userprinciplename.

    By default for PAM - Self-Hosted on-prem tenants, this is set to sAMAccountName.

  3. (Optional) Validate the certificate.

    You can verify that connections to the Internal Application (PVWA) and Nested Application (PSM HTML5 GW) are secured with a specific SSL certificate before a user session is passed out of the internal network via the secure Remote Access tunnel.

  4. Click Add application to add the new application to the Remote Access portal.

Test the connection to the PVWA

After you have defined a connection to a PVWA, you can check the connection with a Remote Access test user.

Initially, Remote Access assigns the AleroTestUser username to all tenant admin users. After you set your Active Directory credentials in the CyberArk Mobile app, the connection is tested with your company name.

  1. Log in to the CyberArk Digital Vault and create a user called AleroTestUser. Assign this user permissions in the Safes that users will access through the Remote Access portal, so that you can test the Remote Access connection.

  2. In the Remote Access portal, on the Applications page, click the More actions button on an application tile and then click Connect.

  3. Confirm the username and click Connect to be directed to the PVWA.

Admin actions for applications

The Applications page displays a list of all the applications that you can access through Remote Access and the number of sessions that were active during the last hour.

For each application, the admin can perform the following actions from the More actions menu on the application tile.




Open a username field and test the newly created connection to the application with the provided username.

Invite Vendor

Open the Invite Vendor form. For more details, see Invite Vendors.

Show configuration

Open the application-specific authentication information that is used to configure Remote Access for the PVWA application. For more information, see Configure authentication.


Deactivate the application manually. Invited vendors will no longer be able to access the application.