Manage privileged objects in Privilege Cloud

CyberArk Identity supports managing privileged accounts and objects in Privilege Cloud. When you configure CyberArk Identity to authenticate to Privilege Cloud REST APIs, the CyberArk Identity SCIM server can connect third-party Identity Governance and Administration (IGA) platforms, such as Sailpoint, with Privilege Cloud. SCIM endpoints are used to integrate IGA platforms that are compatible with SCIM clients to simplify and automate the lifecycle management of privileged accounts.

The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.

Before you begin

  • To begin the configuration process, go to Set up SCIM for Privilege Cloud.

    When you reach the step to configure CyberArk Identity, return to this topic.

    When you configure the SCIM server, include an OAuth2 Client app to access the SCIM server with the scope scim*. This is described in Configure the SCIM server

  • Obtain the sign-in URL for the Privilege Cloud tenant.

    Additional licenses might be required to enable this feature. Contact your CyberArk account representative for more information.

  • Do not use the following characters in usernames when integrating with Privilege Cloud:

    Unsupported characters for usernames

    Character

    Description

    ?

    question mark

    <

    less than

    >

    greater than

    *

    asterisk

    "

    double quotation mark

    /

    forward slash

    \

    backslash

Step 1: Configure CyberArk Identity

These steps describe how to configure CyberArk Identity to authenticate to Privilege Cloud APIs.

  1. Add a service user. In the Identity Administration portal, go to Core Services > Users > Add User and enter the required values. In the Status field, select Is service user, then click Create User.

  2. Go to Core Services > Roles. Either select an existing role or add a role that has Vault Management rights and permission to the OAuth2 Client app used to access CyberArk Identity SCIM APIs for the IGA-PAM - Self-Hosted integration. Add the service user to this role.

  1. In the Identity Administration portal, go to Settings > Integration > Vault Configuration.

  2. Enter the following values, then click Save.

    Vault configuration required values

    Name

    Value

    PVWA URL

    Sign-in URL for the Privilege Cloud tenant.

    Service User for the Privileged Objects Management

    The service user that you have defined or the service user already created in Privilege Cloud.

The CyberArk Identity side of the configuration is complete.

Step 2: Configure Privilege Cloud to integrate with CyberArk Identity

To complete the IGA-Privilege Cloud integration process, see Step 3: Configure Privilege Cloud.