Deploy a web SAML Application

This topic provides general information about how to deploy a web application for SAML-based single sign-on (SSO).

To not disrupt existing access to critical web applications, we recommend that you deploy a non-production application or an application that will have minimal impact on your users.

The steps for adding a web SAML application in the Identity Administration portal are similar across all applications. After configuring the SSO template in the Identity Administration portal, you then sign in to the web application to configure it for SSO. Steps for service provider configuration vary widely for each application. This topic also uses the following web applications as examples.

  • Salesforce
  • Workday

Add web applications in the Identity Administration portal

Before you configure any web applications for SSO, you need the following:

  • An active account for the application with administrator rights for your organization.

  • A signed certificate.

    You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

  1. In the Identity Administration portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

  3. Click the Add button associated with the relevant user-password application.

    4. Some application have both SAML and user-password versions, make sure you select the correct one.

  4. Click Yes to confirm on the Add Web App screen.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Application Settings page and has the "Ready to Deploy" status.

  6. Give an existing Active Directory user/group or CyberArk role access to the application.
    1. Click Permissions > Add button.
    2. Search for an existing Active Directory user/group or CyberArk role.
    3. Select the relevant user, group, or role.

    4. Click Add.

      5. The newly added Active Directory user/group or CyberArk role is added to the Permissions page with the relevant permissions.

  7. Click Save.

You now must make configuration changes from the application itself using your application administrator credentials.

Generic SAML application configurations

At the most basic level, configuring SSO for SAML applications mean providing the necessary information for the application and CyberArk Identity to communicate. The specific information and configuration field names may vary for each application, but you can typically find the necessary information on the Trust page in the Identity Administration portal (Apps > Web Apps > specific SAML application > Trust).

It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows.

Instructions for configuring the specific SAML applications follow.

Configure Salesforce

This article provides instructions for SSO access to Salesforce from the User Portal.

  1. In a new browser window, go to the Salesforce website and sign in with your administrator login.

    It is helpful to open the Salesforce web application and the Identity Administration portal Application Settings window simultaneously to copy and paste settings between the two browser windows.

  2. On the Salesforce website, navigate to Setup and search for Single Sign-on Settings.
  3. Check the SAML Enabled checkbox in the Federated Single Sign-On Using SAML area.

  4. Click Save.
  5. Click New in the SAML Single Sign-On Settings area.

    6. The SAML Single Sign-On Setting Edit page displays.

    Use this page to configure the application for single sign-on from the user portal.

    Salesforce allows you to specify multiple identity providers for SSO.

    For additional information about configuring Salesforce for SSO, refer to the following:

  6. Configure the necessary settings (in the Salesforce web application and the Identity Administration portal Application Settings window).

    7. The following screenshots shows the fields in the Identity Administration portal containing the necessary information and the corresponding field in Salesforce. It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows.

  7. Click Save.
  8. Complete the following on the Salesforce website:

    9. Option

    What you do

    Name

    Set it to the name of your identity provider, such as CyberArk.

    API Name

    Set it to Idaptive.

    Entity ID

    If using a customized subdomain in Salesforce, set it to that domain. Otherwise, use
    https://na59.lightning.force.com.

    Request Signature Method

    Leave set to default, RSA-SHA1

    SAML Identity Type

    Assertion contains User’s Salesforce.com user name

    SAML Identity Location

    User ID is in the NameIdentifier element of the Subject statement

  9. Click Save.

    10. If you only want SSO for application access, then you're done! If you want to give additional users access to the application, the see Specify who can see specific applications in User Portal . If you require multi-factor authentication (MFA) for application access, then see MFA for web application access.

Back to top

Configure Workday

This article provides instructions for SSO access to Workday from the User Portal.

  1. Log in with your Workday administrator credentials from the Workday URL.

    The URL should take the form https://www.myworkday.com/Your-Workday-Tenant/login-saml.flex where Your-Workday-Tenant is your tenant name.

  2. Navigate to Workbench > Account Administration.

    The Workbench menu is available under the user account picture at the top right of the page.

  3. In the Actions area, click Edit Tenant Setup - Security and scroll down to SAML Setup.

    If Edit Tenant Setup - Security is not available, you might not have the proper permissions to access it.

  4. In SAML Setup, select Enable SAML Authentication.

  5. Click +(the plus sign) next to Identity Providers and provide the relevant information.

    The following screenshot shows the fields in CyberArk IdentityIdentity Administration portal containing the necessary information and the corresponding field in Workday. It is helpful to open the web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows.

  6. Click OK to save your configuration.
  7. Log out of your Workday account.

  8. Navigate to the Trust page in the Identity Administration portal and enter the following into the Your Workday SAML ACS URL field:

    https://www.myworkday.com/YOUR-WORKDAY-TENANT/login-saml.flex

    Replace YOUR-WORKDAY-TENANT with the tenant name for your organization.

  9. Click Save.

  10. User provisioning allows for the automatic deployment of Workday to new Active Directory users who have been added to the relevant group. Note: The group must be given permission to access Workday; see Deploy a web SAML Application .

    1. Click Provisioning > Enable provisioning for this application check box.
    2. Select either Preview Mode or Live Mode.

      3. Preview Mode: Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.

      Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.

      SCIM doesn't enforce any particular way to authenticate with the Application provider, but you will need to provide a SCIM URL and an access token that the application accepts. The access token and SCIM URL are generally available from the application’s admin console, or by contacting support for the application. Another option is to create an access token using OAuth2.0.
    3. Enter the URL you want to use for the SCIM Service URL.
    4. Select either OAuth 2.0 or Authorization Header as your Authorization Type.

      5. OAuth 2.0 uses a workflow to authorize access and Authorization Header directly provides the credentials.

      Your choice of Authorization Type will determine the next few steps you will perform. Where you can find the information you provide will vary depending on the app you are configuring. If you need assistance with locating this information, contact support for the company that makes the app you are configuring.

      If you select OAuth 2.0, fill in these fields:

      Identity Administration portal >Provisioning

      What you do

      Authorize URL

      Copy the URL the admin will use to authorize access to the application, and paste it here.

      Access Token URL

      Copy the URL where the admin can get an access token for the app after authorization, and paste it here.

      Client ID

      Copy the ID generated when you create the client app entry, and paste it here.

      Client Secret

      Copy the password or access token generated when you create the client app entry, and paste it here.

      Scope

      Copy the statement of permissions to be granted to CyberArk and paste it here. In order to enable provisioning, CyberArk needs read and write permission to users and groups.

      Select Bearer Token if your app requires the header in the format: Bearer <your_access_token>.

      Select Basic if your app requires authentication in the format: HTTP BASIC.

      Select Direct if your app uses some other format.

      If you select Authorization Header, you have a choice of Header Type.

      • If you select Bearer Token, provide the Bearer Token.

      If you select Basic, provide the following:

      • Admin Name -- Copy the login name for the admin and paste it here.
      • Admin Password -- Copy the login password for the admin and paste it here.

      If you select Direct, provide the Header Value by copying the exact value of the header and inserting it here. The Header Value is usually in the form of <Token_Type> <Actual Token>. For example Example_Token xyztoken122.

    5. Click Verify to have CyberArk Identity verify the connection and save the provisioning details.
  11. Click Save.

    12. If you only want SSO for application access, then you're done! If you want to give additional users access to the application, the see Specify who can see specific applications in User Portal . If you require multi-factor authentication (MFA) for application access, then see MFA for web application access.