Use a Postman collection for CyberArk Identity authentication
This topic helps you to test the CyberArk Identity authentication APIs using a Postman collection. Postman is an HTTP-testing API application that enables you to monitor requests and responses.
Before you begin
-
Install Postman from https://www.postman.com/downloads/
-
Get access to a CyberArk Identity tenant
-
Setup an Authentication profile
-
Create a policy and assign a role to the policy
-
Ensure that the user has enrolled in the appropriate MFA
Import a Postman collection
Get started with a Postman collection
Once the Postman collection is imported, you need to pre-fill the following variables to run the collection, based on the functionality you want to try out.
You can add the variables by selecting the variables tab, as shown above.
Authentication APIs
The table below describes the mandatory variables required for this collection.
Variable name |
Description |
Purpose |
---|---|---|
tenant_url |
The URL of the CyberArk Identity tenant ( |
Mandatory variable required for this collection. |
username |
The username of the CyberArk Identity directory user. |
Mandatory variable required for this collection. |
password |
The password of the CyberArk Identity directory user. |
The variable is required to authenticate with a password. |
sq_answer |
The answer to the security question asked at the time of login. |
The variable is required to authenticate with a security question. |
email_otp |
The one time password sent to the email address of the user at the time of login. |
The variable is required to authenticate with the email address. |
sms_otp |
The one time password sent to the registered mobile number of the user at the time of login. |
The variable is required to authenticate with an SMS. |
oath_otp |
The time-based one time password generated by the OATH OTP client |
The variable is required to authenticate with an OATH OTP. |
qr_session_id |
The session ID can be retrieved from the QR code displayed by the CyberArk Identity's login screen. This session ID should be used by the QR code authenticator to submit QR code |
The variable is required to authenticate with a QR code. |
fido2_security_id |
The credential ID generated by the FIDO2 authenticator |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
fido2_raw_id |
The ArrayBuffer contained in the [[identifier]] internal slot. |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
fido2_challenge |
The challenge used for generating the newly created credential’s attestation object. This challenge can be generated using the /U2f/GetRegistrationChallenge API |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
fido2_authenticator_type |
The FIDO2 authenticator type can either be "SECURITYKEY" for FIDO2 security key or "ONDEVICEAUTHENTICATOR" for on-device authenticator. |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
fido2_attestation_object |
The attestation object that contains authenticator data and attestation statement. |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
fido2_client_data |
This attribute, inherited from AuthenticatorResponse, contains the JSON-compatible serialization of client data |
The variable is required to authenticate either with an FIDO2 security key or on-device authenticator. |
Step-up authentication
CyberArk Identity provides step-up authentication to protect sensitive apps with additional MFA challenges. You can do this by adding policies to the web apps as shown below:
The Postman collection provides a collection for step-up authentication. To initiate the step-up authentication, a challenge ID is required for the additional challenge. You can use the /Security/ChallengeUser API to generate the challenge ID. This API takes the below parameter as input:
Variable name |
Description |
---|---|
authentication_profile_name |
The name of the authentication profile that is added to the app policy. |
Once the challenge ID is generated, it can be passed to the /Security/StartChallenge API.