The CyberArk Identity Browser Extension

This topic guides system administrators through the procedures for deploying and configuring the CyberArk Identity Browser Extension.

Some web applications require the Browser Extension for single sign-on. Applications that depend on the Browser Extension have the jigsaw puzzle symbol on the Apps page in CyberArk Identity user portal.

After users install the Browser Extension, the jigsaw symbol disappears.

You can send the link for installing the browser extension directly to users. When users click the link, the installer identifies the user’s default browser and installs the corresponding extension. The link and the browser extension files are available from the Downloads page in the Identity Administration portal.

You can only update the browser extension; reverting to previous versions is not supported.

The browser extension is not required on mobile devices. The CyberArk Identity mobile app incorporates an internal browser that provides single sign-on. When device users open an application that requires the browser extension, the application automatically opens in the internal browser.

Options for user self installation

Users can install the CyberArk Identity Browser Extension using one of the following options.

  • Click the link in the banner on the Apps page above the application icons.

  • Launch an application that requires the Browser Extension, then click the link in the pop-up that prompts users to install the Browser Extension.

  • Download the browser extension from the relevant web store.

In addition, you can send users a link to install the Browser Extension. The link and the browser extension files are provided in the Downloads page under Browser Extensions.

Deploy the Browser Extension with Active Directory group policies

You can mass deploy the Browser Extension with Active Directory group policies. See the following links for instructions.

For Chrome browsers, see Mass deploy the CyberArk Browser Extension for Chrome

For Firefox browsers, see Mass deploy the CyberArk Browser Extension for Firefox.

For Microsoft Edge browsers, see Mass deploy the CyberArk Browser Extension for Microsoft Edge.

Copy credentials

We provide the following ways to obtain the username or password of a saved application without opening the User Portal:

  • Copy from the Browser Extension context menu on the application sign-in page or change password page.

  • Copy from a menu in the Browser Extension.

For instructions, see Copy credentials.

Configure time to clear the clipboard

After a user copies a username or password from the User Portal, Browser Extension, or Browser Extension context menu, CyberArk Identity clears the information from the clipboard after n seconds have passed. You can configure the number of seconds. The default is 120 seconds.

This feature does not clear all information stored in the clipboard history. It only clears the most recently saved username and password. We recommend that you disable clipboard history to reduce your organization's vulnerability to attack.

To configure the clear clipboard time:

  1. In the Identity Administration portal, click Policies, then double-click a policy to open it.

  2. Click Application Policies > User Settings.

  3. In the Clear clipboard after the configured time (in seconds) field, specify how many seconds you want to wait before the clipboard is cleared.

  4. Click Save.

Enable Land & Catch for your organization

This topic describes how to enable Land & Catch for your organization so users can add apps to their User Portal using the CyberArk Identity Browser Extension's Land & Catch feature. Land & Catch recognizes when users enter credentials and offers to add the site to their User Portal and store the user's credentials. As part of the Workforce Password Management feature, credentials are stored in either CyberArk Identity or in the CyberArk Privileged Access Manager - Self-Hosted self-hosted vault. Where the credentials are stored does not change the user experience. Regardless of where credentials are stored, users can leverage Land & Catch to conveniently add apps to their User Portal while securely storing their credentials.

Encourage your organization to use the CyberArk Identity Password Generator (available starting with the 21.7 Browser Extension) in conjunction with Land & Catch to reduce the threat of security breaches while simplifying the user experience. See Manage credentials with Workforce Password Management for more information.

Once enabled for users, Land & Catch is activated when a user logs in to a service provider's web site. The Browser Extension then asks via pop-up if the user wants to store the login information as an app on their User Portal. If the user agrees, the app appears in their User Portal.

The Land & Catch feature cannot capture apps that use iframes.

Step 1: Disable your browser's password prompts and autofill features.

The Browser Extension might conflict with your browser's features to save passwords and autofill information. CyberArk recommends disabling those browser features to avoid conflicts.

Disable password prompts in Chrome

In order suppress the prompt to save passwords in your Chrome browser, select Disable Browser Password Prompts in the CyberArk Identity Browser Extension. When this option is selected, the Chrome privacy permission, Change your privacy related settings, is enabled in Chrome Extensions. This permission is required in order for the Browser Extension to suppress the prompt to save passwords in Chrome.

  1. Click the Browser Extension button in your browser.

  2. Click the gear button (Settings) and select Disable Browser Password Prompts.

  3. If you are prompted to grant additional permissions to CyberArk Identity Browser Extension, click Allow.

Disable or enable autofill in Chrome

https://support.google.com/chrome/answer/142893

Disable or enable autofill in Firefox

https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins

Disable or enable autofill in Edge

https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336

Step 2: Enable Land & Catch in the Identity Administration portal

  1. Sign in to the Identity Administration portal, then click Core Services > Policies.

  2. Select an existing policy set, or create a new one.

    Policy sets are applied to users by applying them to everybody, specified roles, or sets.

  3. Select Application Policies > User Settings.

  4. Set Allow users to add personal apps to either -- or Yes.

  5. Set Enable browser extension Land & Catch to Yes, then click Save.

Step 3: Enable users to customize apps added using Land & Catch

  1. Go to Application Policies > User Settings.

  2. Set Allow users to customize personal apps to Yes, then select the fields where you want to allow customizations.

    • Name

    • Description

    • Logo

    • URL

  1. Set Enable Browser Extension Land & Catch to Yes.

  1. Click Save.

    End users can now update the configured fields for the captured apps.

End users cannot customize the apps added using the Add apps option.

Troubleshoot the Browser Extension

The first thing to do if you have challenges using the Browser Extension is to make sure that you are signed in.

Refer to the following sections for more specific challenges and solutions.

Unable to sign in to CyberArk Identity Browser Extension with a custom domain

Solution: Add dns.google.com to an allowlist

When using custom domains, an outgoing HTTPS call is made to dns.google.com to map the custom domain name to a CyberArk domain. Your organization needs to add the URL dns.google.com to an allowlist before you can sign in to the CyberArk Identity Browser Extension.

Unable to copy credentials from the CyberArk Identity Browser Extension after policy changes

Solution: Sign out from the CyberArk Identity Browser Extension and sign in again to copy the credentials

When your administrator makes policy changes, you must sign out from the Browser Extension and sign in again for new policy changes to take effect. If the issue persists, contact your administrator.

Land & Catch - added applications are not available

Solution: Refresh the app cache

Your system administrator might have changed the applications deployed to you or the tags used to organize them. You can refresh your app cache to update the Browser Extension with the latest information.

  1. Click the Browser Extension button in your browser.

    The Applications tab is displayed.

  2. Click the refresh icon to the left of the applications filter drop-down menu.

Land & Catch - The Browser Extension doesn't offer to add a new app

Solution: Verify that Land & Catch is enabled

Enable Land & Catch for your organization

Solution: Clear the list of skipped sites

If you clicked Never at any of the prompts to add a site to your User Portal but later change your mind, you can clear the list of skipped sites by clicking the Browser Extension button in your browser, then selecting Clear Skipped Sites... .

You can't sign in

Solution: Change your portal hostname

The portal hostname does not typically have to change from its default value; however, if your company uses multiple tenants, your system administrator might request that you change the portal hostname to an appropriate value for your tenant.

  1. Click the Browser Extension button in your browser, then click the gear icon to go to the Settings tab.

  2. Expand Advanced, then enter the name of your tenant in the Portal Hostname field.

    The portal hostname typically takes the format <tenant>.Idaptive.com A red X appears for invalid hostnames, and a green checkmark appears for valid hostnames.

Your system administrator wants the Browser Extension diagnostics log

Solution: Export the diagnostics log

Your system administrator might need you to export the Browser Extension diagnostics log to assist in troubleshooting.

  1. Click the Browser Extension button in your browser, then click the gear button to go to the tab.

  2. Expand Advanced, the then click Export Diagnostics Log.

    If requested by your administrator, select Enable diagnostics log. Enabling this setting adds more detail to the diagnostics log. even with this setting disabled, diagnostic logs containing less detail are still available for export.

    The log is downloaded to your browser's default download location. The filename takes the format BElog-YYYYMMDD-HHMMSS.bin.

The Browser Extension doesn't autofill my credentials

Solution: Disable browser password prompts and autofill

If you are signed in to the CyberArk Identity Browser Extension and you already refreshed your app cache, the Browser Extension might conflict with your browser's features to save and autofill sign in credentials and other information.

Disable password prompts in Chrome

In order suppress the prompt to save passwords in your Chrome browser, select Disable Browser Password Prompts in the CyberArk Identity Browser Extension. When this option is selected, the Chrome privacy permission, Change your privacy related settings, is enabled in Chrome Extensions. This permission is required in order for the Browser Extension to suppress the prompt to save passwords in Chrome.

  1. Click the Browser Extension button in your browser.

  2. Click the gear button (Settings) and select Disable Browser Password Prompts.

  3. If you are prompted to grant additional permissions to CyberArk Identity Browser Extension, click Allow.

Disable or enable autofill in Chrome

https://support.google.com/chrome/answer/142893

Disable or enable autofill in Firefox

https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins

Disable or enable autofill in Edge

https://support.microsoft.com/en-us/microsoft-edge/save-or-forget-passwords-in-microsoft-edge-b4beecb0-f2a8-1ca0-f26f-9ec247a3f336