Configure external Identity Provider integration

This topic describes how to configure Remote Access integration with an external Identity Provider.


Remote Access can integrate with external identity providers that use SAML protocol, so that company users can continue to access their applications via your organization's existing SSO, while accessing PAM - Self-Hosted via Remote Access as well.

Before you begin

Before you can configure an external identity provider (IdP), your system must meet the following requirements:

Check that integration with CyberArk Identity is disabled. For more information, see Configure CyberArk Identity SSO integration.

  • Upgrade all the Remote Access connectors in your system to at least 1.0.8901. For details, see Upgrade connectors.

Enable/disable IdP integration

By default, the external IdP is enabled after you set and save the external Identity Provider configuration.

To disable the external Identity Provider integration:

  1. In the Remote Access portal, click Settings > User management sources , and select External IdP.

  2. Set the Enable integration toggle to off. Users cannot authenticate to Remote Access via the external IdP until you enable it again.

Configure service provider properties

This section describes the service provider properties that you configure in the external identity provider and in Remote Access.

Step 1: Enter the required Remote Access settings in the external IdP

Use one of these methods to copy the properties you need to configure in the external IdP .

The XML file contains all the URLs and settings that are required to integrate Remote Access with the external IdP.

  1. Copy or download the XML files.

  2. Set the following user attributes & claims:






Email Address


Object ID

Copy the following details into the relevant fields in the external IdP configuration page.

URL type


Audience (Identity ID)

Depending on the IdP, this may also be known as the Audience URI.

Assertion Consumer Service

Depending on the IdP, this may also be known as the Single Service Sign-On URL.



Name ID


This setting defines the identifier that the external IdP passes to Remote Access to identify the user.

Signed Authentication Request


Signed Assertion


Encrypted Assertion


HTTP-POST Binding Response


HTTP-POST Binding for AuthnRequest







Email address


Object ID

Step 2: Configure the external Identity Provider parameters in Remote Access

The external IdP metadata includes all the URLs and certificate details that are required to integrate the external IdP with Remote Access.

Click Upload metadata.

  1. Paste or type the external IdP Single Sign On URL.

  2. Upload the IdP server certificate. This must be base-64 encoded x.509, with a .cer or .pem extension.

Step 3: Set enforcement

Specify whether user login is only via the IdP or also allowed using a QR scan.



Enforce user login only via external IdP authentication.

Toggle between the following:

  • Allow login via external IdP or QR authentication

  • Allow login only via external IdP

Default: Off

Set user credentials re-authentication

You can set a time interval for when users need to re-authenticate their user credentials.

Default is set to every 30 days.