Integrate Identity Compliance with Privileged Access Manager - Self-Hosted

This topic describes how to integrate Identity Compliance with PAM - Self-Hosted. After integration, you will be able to add Safes to Identity Compliance campaigns.

The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.

Before you begin

Contact your CyberArk representative to confirm that all of the necessary product features are enabled for your deployment.
Make sure you have the ability to run PowerShell.
Obtain the PAM - Self-Hosted URL. This is the URL for the PAM - Self-Hosted instance, not the PVWA sign-in URL. For example, https://example.acme.com.

Configure the integration in the Identity Identity Administration portal

Step 1: Install the CyberArk Identity Connector

Install the CyberArk Identity Connector inside the on-premises Vault network. See Install the CyberArk Identity Connector for instructions.

Step 2: Create a service account for the Vault integration

In Identity Administration portal, go to Core Services > Users and click Add User.
Enter identity-privilege-integration-user$ in the Login name field. Enter an email address and display name.
Create a password for the service user.
Select Is service user and Is OAuth confidential client.
Click Create User.

Step 3: Create a role for the Vault integration

Go to Core Services > Roles, then click Add Role.
Enter a unique name for the role and click Save.
In the role you just created, go to the Members tab. Click Add and add the identity-privilege-integration-user$ service user.
Go to the Administrative Rights tab and add Vault Management.
Click Save.

Step 4: Configure the Vault settings in CyberArk Identity

In the left navigation panel, go to Settings > Integration > Vault Configuration.
In the PVWA URL field, enter the PAM - Self-Hosted URL. This is the URL for the PAM - Self-Hosted instance, not the PVWA sign-in URL. For example, https://example.acme.com.

In the Connectors to use with this service field, choose how connectors will be selected for your API proxy configuration. The connectors must be version 21.7 or later and have the API Proxy Service enabled. Select one of the following:

Option	Result
Any available	Identity randomly selects an available connector.
Choose	You can specify one or more Identity Connectors. If you select more than one connector, CyberArk  randomly chooses one of the selected connectors to use for the application. After you save the configuration, each future API proxy request uses a random connector from among those selected, if the connector is online.

Option

Result

Any available

Identity randomly selects an available connector.

Choose

You can specify one or more Identity Connectors. If you select more than one connector, CyberArk  randomly chooses one of the selected connectors to use for the application. After you save the configuration, each future API proxy request uses a random connector from among those selected, if the connector is online.

Click Save.

Configure the Vault

Download the following CyberArk Marketplace scripts to a server that can communicate with PVWA.

Script	Download
Create SCIM service user	https://cyberark-customers.force.com/mplace/s/#a352J000000aft4QAA-a392J000002OyRKQA0
Identity  and PAS integration configuration	https://cyberark-customers.force.com/mplace/s/#a352J000000afGWQAY-a392J000002OgE6QAK

In PowerShell, go to the directory where the scripts are located and run the command to create a SCIM service user:

.\CreateSCIMServiceUser.ps1 -PVWAUrl <PAS-PVWA-URL>

where <PAS-PVWA-URL> is the URL for the Password Vault Web Access instance. For example:
```
https://example.acme.com/PasswordVault&quot;
```

When prompted, enter your PAM - Self-Hosted admin credentials.

The script creates a SCIM service user.

Run the configuration script. In PowerShell, run the following command:

.\IdentityConfiguration.ps1 -portalUrl <PAS-PVWA-URL> -cyberArkIdentityMetadataUrl <CYBERARK-IDENTITY-METADATA-URL> -cyberArkIdentityClientId __idaptive_cybr_user_oidc

The parameters are:

Parameter	Description
portalURL	URL for PVWA. For example: https://example.acme.com/PasswordVault
cyberArkIdentityMetadataUrl	URL you saved from the Identity Trust settings. For example: https://<your_tenant_url>/__idaptive_cybr_user_oidc/.well-known/openid-configuration

Parameter

Description

portalURL

URL for PVWA.

For example: https://example.acme.com/PasswordVault

cyberArkIdentityMetadataUrl

URL you saved from the Identity Trust settings.

For example: https://<your_tenant_url>/__idaptive_cybr_user_oidc/.well-known/openid-configuration

For example:

https://abc0123.id.cyberark.com/__idaptive_cybr_user_oidc/.well-known/openid-configuration

When prompted, enter your PAM - Self-Hosted admin credentials.
Add identity-privilege-integration-user$ as a Safe member to the Safes that you want to manage with Identity Compliance. See Add a Safe member for instructions.
Grant the identity-privilege-integration-user$ the following Safe permissions:
- Manage Safe
- Manage Safe members
  
  See Manage Safes for more information.

Configuration is complete. You can now select Safes for Identity Compliance  campaigns.