Integrate Identity Compliance with Privileged Access Manager - Self-Hosted

This topic describes how to integrate Identity Compliance with PAM - Self-Hosted. After integration, you will be able to add Safes to Identity Compliance campaigns.

The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.

Before you begin

  • Contact your CyberArk representative to confirm that all of the necessary product features are enabled for your deployment.

  • Make sure you have the ability to run PowerShell.

  • Obtain the PAM - Self-Hosted URL. This is the URL for the PAM - Self-Hosted instance, not the PVWA sign-in URL. For example,

Configure the integration in the Identity Identity Administration portal

Step 1: Install the CyberArk Identity Connector

Install the CyberArk Identity Connector inside the on-premises Vault network. See Install the CyberArk Identity Connector for instructions.

Step 2: Create a service account for the Vault integration

  1. In Identity Administration portal, go to Core Services > Users and click Add User.

  2. Enter identity-privilege-integration-user$ in the Login name field. Enter an email address and display name.

  3. Create a password for the service user.

  4. Select Is service user and Is OAuth confidential client.

  5. Click Create User.

Step 3: Create a role for the Vault integration

  1. Go to Core Services > Roles, then click Add Role.

  2. Enter a unique name for the role and click Save.

  3. In the role you just created, go to the Members tab. Click Add and add the identity-privilege-integration-user$ service user.

  4. Go to the Administrative Rights tab and add Vault Management.

  5. Click Save.

Step 4: Configure the Vault settings in CyberArk Identity

  1. In the left navigation panel, go to Settings > Integration > Vault Configuration.

  2. In the PVWA URL field, enter the PAM - Self-Hosted URL. This is the URL for the PAM - Self-Hosted instance, not the PVWA sign-in URL. For example,

  3. In the Connectors to use with this service field, choose how connectors will be selected for your API proxy configuration. The connectors must be version 21.7 or later and have the API Proxy Service enabled. Select one of the following:

    Option Result

    Any available


    Identity randomly selects an available connector.



    You can specify one or more Identity Connectors. If you select more than one connector, CyberArk  randomly chooses one of the selected connectors to use for the application. After you save the configuration, each future API proxy request uses a random connector from among those selected, if the connector is online.

  1. Click Save.

Configure the Vault

  1. Download the following CyberArk Marketplace scripts to a server that can communicate with PVWA.



    Create SCIM service user

    Identity  and PAS integration configuration

  1. In PowerShell, go to the directory where the scripts are located and run the command to create a SCIM service user:

    .\CreateSCIMServiceUser.ps1 -PVWAUrl <PAS-PVWA-URL>

    where <PAS-PVWA-URL> is the URL for the Password Vault Web Access instance. For example:;
  1. When prompted, enter your PAM - Self-Hosted admin credentials.

    The script creates a SCIM service user.

  2. Run the configuration script. In PowerShell, run the following command:

    .\IdentityConfiguration.ps1 -portalUrl <PAS-PVWA-URL> -cyberArkIdentityMetadataUrl <CYBERARK-IDENTITY-METADATA-URL> -cyberArkIdentityClientId __idaptive_cybr_user_oidc

    The parameters are:




    URL for PVWA.

    For example:


    URL you saved from the Identity Trust settings.

    For example: https://<your_tenant_url>/__idaptive_cybr_user_oidc/.well-known/openid-configuration

  3. For example:
  1. When prompted, enter your PAM - Self-Hosted admin credentials.

  2. Add identity-privilege-integration-user$ as a Safe member to the Safes that you want to manage with Identity Compliance. See Add a Safe member for instructions.

  3. Grant the identity-privilege-integration-user$ the following Safe permissions:

    • Manage Safe

    • Manage Safe members

      See Manage Safes for more information.

Configuration is complete. You can now select Safes for Identity Compliance  campaigns.