Authenticate to Privileged Access Manager - Self-Hosted

To work with PAM - Self-Hosted, users must authenticate to the Vault using a predefined authentication method.

This section introduces you to the authentication methods that PAM - Self-Hosted supports and describes how they work.

General authentication considerations

PAM - Self-Hosted supports two layers of authentication, a primary layer and a secondary layer.

The secondary layer is optional and can be set to increase the authentication strength according to your needs.

Primary authentication

Primary authentication establishes an initial secure connection between the CyberArk interface and the CyberArk Vault server in order to grant access to users.

The CyberArk Vault supplies the following primary authentication options:

  • Amazon Cognito authentication
  • CyberArk Password authentication
  • LDAP authentication
  • NT/Windows authentication
  • OpenID Connect (OIDC) authentication
  • Oracle SSO (in PVWA)
  • PKI authentication (Personal Certificate)
  • RADIUS authentication
  • SAML authentication

The PVWA can support additional third-party authentication methods. For more information, contact your CyberArk support representative.

Secondary authentication

Secondary authentication strengthens the secure connection by adding an additional user identification procedure. This is mainly useful for forcing additional authentication in case of automatic authentication (SSO), such as Windows authentication, PKI authentication or Web SSO.

The following authentication methods can be used as primary authentication methods when applying secondary authentication methods:

  • NT/Windows authentication

  • PKI authentication (Personal Certificate)

  • SAML authentication

  • Oracle SSO (in PVWA)

  • Amazon Cognito authentication

The following authentication methods can be used together with the above primary authentication methods as secondary authentication methods:

  • LDAP authentication

  • RADIUS authentication

  • CyberArk authentication

For more information about configuring secondary authentication, see Configure a secondary authentication method.

Considerations when configuring PVWA authentication

  • LDAP – To enable users to authenticate to the Vault with LDAP authentication, make sure that an LDAP authentication has been installed and configured on the Vault. For more information, see LDAP Authentication.

  • Windows – If users will log on to the Vault through the PVWA with Windows authentication, the PVWA must be installed on a machine in the domain that can connect to the Active Directory that will authenticate the user. For more information, see Windows authentication.

  • Radius – To enable users to authenticate to the Vault with Radius authentication, make sure that a Radius authentication has been installed and configured on the Vault. For more information, see RADIUS Authentication.

  • PKI – To enable users to authenticate to the Vault with PKI authentication, the web server and the Vault user properties must be configured to identify the certificate that will enable the user to log on to the Vault through the PVWA. For more information, see PKI authentication (Personal Certificate).

  • Oracle SSO – To enable users to authenticate to the Vault with Oracle SSO, make sure that the Oracle SSO authentication environment has been installed on a network machine that is accessible to the web server, and that a corresponding environment has been configured on the web site where the PVWA is installed. For more information, see Oracle SSO authentication.