Configure external Identity Provider integration

This topic describes how to configure Remote Access integration with an external Identity Provider.

Overview

Remote Access can integrate with external identity providers that use SAML protocol, so that company users can continue to access their applications via your organization's existing SSO, while accessing PAM - Self-Hosted via Remote Access as well.

Before you begin

Before you can configure an external identity provider (IdP), your system must meet the following requirements:

Check that integration with CyberArk Identity is disabled. For more information, see Configure CyberArk Identity SSO integration.

  • Upgrade all the Remote Access connectors in your system to at least 1.0.8901. For details, see Upgrade connectors.

Enable/disable IdP integration

By default, the external IdP is enabled after you set and save the external Identity Provider configuration.

To disable the external Identity Provider integration:

  1. In the Remote Access portal, click Settings > User management sources , and select External IdP.

  2. Set the Enable integration toggle to off. Users cannot authenticate to Remote Access via the external IdP until you enable it again.

Configure service provider properties

This section describes the service provider properties that you configure in the external identity provider and in Remote Access.

Step 1: Enter the required Remote Access settings in the external IdP

Use one of these methods to copy the properties you need to configure in the external IdP .

The XML file contains all the URLs and settings that are required to integrate Remote Access with the external IdP.

  1. Copy or download the XML files.

  2. Set the following user attributes & claims:

Property

Value

sAMAccountName

sAMAccountName

emailaddress

Email Address

objectidentifier

Object ID

Copy the following details into the relevant fields in the external IdP configuration page.

URL type

Details

Audience (Identity ID)

Depending on the IdP, this may also be known as the Audience URI.

Assertion Consumer Service

Depending on the IdP, this may also be known as the Single Service Sign-On URL.

Property

Value

Name ID

UserPrincipalName

This setting defines the identifier that the external IdP passes to Remote Access to identify the user.

Signed Authentication Request

False

Signed Assertion

True

Encrypted Assertion

False

HTTP-POST Binding Response

True

HTTP-POST Binding for AuthnRequest

True

Property

Value

sAMAccountName

sAMAccountName

emailaddress

Email address

objectidentifier

Object ID

Step 2: Configure the external Identity Provider parameters in Remote Access

The external IdP metadata includes all the URLs and certificate details that are required to integrate the external IdP with Remote Access.

Click Upload metadata.

  1. Paste or type the external IdP Single Sign On URL.

  2. Upload the IdP server certificate. This must be base-64 encoded x.509, with a .cer or .pem extension.

Step 3: Set enforcement

Specify whether user login is only via the IdP or also allowed using a QR scan.

Setting

Description

Enforce user login only via external IdP authentication.

Toggle between the following:

  • Allow login via external IdP or QR authentication

  • Allow login only via external IdP

Default: Off

Set user credentials re-authentication

You can set a time interval for when users need to re-authenticate their user credentials.

Default is set to every 30 days.