Set up external identity providers

This section describes how to set up external identity providers so you can integrate CyberArk Identity with the identity provider your organization already uses.

You can establish a trust relationship between the Service Provider (SP) and an external Identity Provider (IDP) using SAML tokens. By establishing this trust relationship, you can provide access to the resources that you want to share.

There are two use cases for external identity providers.

Use case


Shared tenant

In this use case, you share your CyberArk tenant with your business partners. Your CyberArk tenant (which hosts the services/applications) serves as the SP and your partner serves as the IdP. Your business partners access the tenant and its associated resources/applications by passing a SAML token obtained from their IdP service. This use case applies to any IdP (AD FS or other kinds of IdPs).


This case is sometimes referred to as “tenant to tenant” because both the SP and IdP are CyberArk tenants. Your business partners access the resources/applications by passing a SAML token obtained from their CyberArk IdP tenant to their CyberArk SP tenant.

Before you begin

  • You need group attribute values and IdP metadata to finish the configuration.

  • Ensure your SAML file includes the required elements.

    SAML 2.0 is automatically selected because we currently only support this federation type.

    The following attributes are consumed by federations with other Cloud customers.

    Additional attributes are supported and can be configured with the external IdP SAML configuration. These can also be configured on the Service Provider side with the B2B application template.

    Mandatory and optional attributes




    DisplayName, Description, EmailAddress, HomeNumber, LoginName, MobileNumber, Group and OfficeNumber

    For example:

    setAttribute("userprincipalname", LoginUser.Get("userprincipalname"));

In this section: