Configure Certification-Based Authentication (CBA)

You can create authentication rules that allow access to CyberArk Identity or sensitive applications, conditional on the presence of an authentication certificate. The authentication certificate is distributed on Windows and Mac machines by a Cloud Agent or Device Trust installer, or on mobile devices through enrollment (mobile devices must be enrolled in CyberArk Identity MDM solution for CBA). You can also use 3rd-party certificates, such as certificates deployed by MDMs like Airwatch or InTune, for CBA on Windows, Mac, and mobile devices; however, CBA does not work with native apps.

CBA does not work with native apps, on any platform, or any type of certificate.

  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click Authentication Policies > CyberArk Identity.

  3. Select Yes in the Enable authentication policy controls drop-down.

  4. Click Add Rule.

    The Authentication Rule window appears.

  5. Click Add Filter on the Authentication Rule window.

  6. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  7. Select the authentication profile that you want applied if Certificate Authentication is true.

    In this example, certificate authentication will bypass other authentication rules and the default profile, so the selected profile is not important.

  8. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  9. Under Other Settings, select Use certificates for authentication and Certificate authentication bypasses authentication rules and default profile, then click Save.

Users can now access CyberArk Identity using the authentication certificate instead of entering a password.

  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Click Authentication Policies > CyberArk Identity.

  3. Select Yes in the Enable authentication policy controls drop-down.

  4. Under Other Settings, select Use certificates for authentication and Certificate authentication bypasses authentication rules and default profile, then click Save.

  5. Go to Apps & Widgets > Web Apps, then select an application where you want to use passwordless authentication.

  6. Go to the Policy tab, then click Add Rule to specify conditional access.

  7. Click Add Filter on the Authentication Rule window.

  8. Select Certificate Authentication from the Filter drop-down menu and set the Condition to Is Used, then click Add.

  9. Select the authentication profile to apply if Certificate Authentication is true.

  10. In the Default Profile (used if no conditions matched) drop-down, select a default profile to apply if certificate authentication is not available.

    The authentication profile is where you define the authentication methods. If you don't have an appropriate authentication profile yet, select Add New Profile to create one. See Create authentication profiles for more information.

  11. Click Save.