Integrate with an IGA platform using SCIM

This topic describes how to integrate PAM - Self-Hosted with an Identity Governance and Administration (IGA) platform using CyberArk Identity as a SCIM server. It is intended for organizations that use an identity governance solution alongside a privileged access management solution and want to implement a more centralized approach.

What is SCIM?

System for Cross-domain Identity Management (SCIM) is an http-based protocol for managing identities across platforms. It is a common standard for automating the exchange of user identity information between identity domains or IT systems.

SCIM provides the ability to create a user account in one system and then have matching accounts created in additional systems the user needs to access.

To learn more about SCIM, see http://www.simplecloud.info/.

SCIM support in PAM - Self-Hosted

PAM - Self-Hosted supports SCIM and the SCIM PAM extension as a means to integrate with IGA platforms.

Managing identities and privilege separately as silos can pose many challenges including:

  • Lack of visibility

  • Loss of productivity

  • Potential security gaps

  • Difficulty in enforcing a unified access policy, consistent governance, and provisioning and authorization process

Integration between PAM and IGA solutions helps simplify and automate user provisioning as well as lowering security risks, providing a single source of privileged identity and access data.

Terminology

Different platforms use different terminology for the same entity type. The following table compares entity names in PAM - Self-Hosted and SCIM.

PAM - Self-Hosted

SCIM

User

User

Group

Group

Safe

Container

Safe member

Container permission

Account

Privileged Data

Solution scope

This integration enables you to do the following:

Entity

Use cases

Users and groups

Create, edit, and delete users and groups in either PAM - Self-Hosted or the IGA platform and have these users saved in PAM - Self-Hosted.

Containers and container permissions

  • View containers and their permissions in the IGA platform, as well as Safes and their members in PAM - Self-Hosted.

  • Create containers and add container permissions to the containers in the IGA platform.

    Safes and Safe members are automatically created in PAM - Self-Hosted.

  • Add container permissions to an existing container.

    Members are automatically added to existing Safes in PAM - Self-Hosted.

  • Delete container permissions from a container.

    Members are automatically deleted from the Safe in PAM - Self-Hosted.

  • Delete a container along with its privileged data in the IGA platform.

    Before you can deprovision a Safe in PAM - Self-Hosted you first need to delete all the accounts that are associated with that Safe. Accounts have a default retention period of 7 days. This means that you can delete the Safe only after the retention period passes. You can edit the retention period when you create the Safe. Once the retention period is over, you can delete the Safe from PAM - Self-Hosted.

privileged data

Create, edit, and delete privileged data in the IGA platform and associate them with containers.

Accounts are automatically created, edited and deleted in PAM - Self-Hosted.

These use cases are supported using the endpoints described in Supported endpoints.

The following diagram shows the information flow between the different platforms:

Supported endpoints

PAM - Self-Hosted supports the following endpoints:

Area

SCIM endpoints

Containers

  • GET

  • POST

  • PUT

  • DELETE

Container permissions

  • GET

  • POST

  • PUT

  • DELETE

Privileged data

  • GET

  • POST

  • PUT

  • PATCH

  • DELETE

Users

  • GET

  • POST

  • PUT

  • DELETE

Groups

  • GET

  • POST

  • PUT

  • DELETE

For details on managing PAM objects with SCIM endpoints via CyberArk Identity, see Manage PAM objects with SCIM endpoints.

Before you begin

If you intend on creating users in PAM - Self-Hosted (as opposed to creating users in the IGA), you need the following:

Integration workflow

Click the image to go to the procedure:

Configure CyberArk Identity

CyberArk Identity is the SCIM server, functioning as middleware in the PAM - Self-Hosted-IGA integration. It communicates with the IGA (SCIM client) using the SCIM protocol and relays information to PAM - Self-Hosted using PAM - Self-Hosted REST APIs.

You must integrate CyberArk Identity with both PAM - Self-Hosted and your IGA platform.

  1. Configure the SCIM server. For details, see SCIM client inbound configuration.

     

    Use the Login Name identity-privilege-integration-user$ when you create the user with access to the OAuth2 Client app.

  2. Create a PAM - Self-Hosted OIDC app in CyberArk Identity. For details, see Configure CyberArk Identity integration with PAM - Self-Hosted.

     

    While performing this procedure, save the following information:

    • CyberArk Identity OpenID Connect Metadata URL

    • CyberArk Identity's OpenID Connect Client ID

    You need these parameters when you run the script, as described in Configure PAM - Self-Hosted.

Configure PAM - Self-Hosted

After you configure CyberArk Identity you need to run two scripts to complete the integration with PAM - Self-Hosted.

To create the SCIM service user:

  1. Download the Create SCIM service user script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

     
    .\CreateSCIMServiceUser.ps1 -PVWAUrl [PAS PVWA URL]

    Parameter:

    Parameter

    Description

    PVWAUrl

    The URL to your PVWA.

    Example: https://[put-your-domain-here]/PasswordVault

  3. When prompted, enter your PAM - Self-Hosted admin credentials.

To configure the integration with CyberArk (Undefined variable: cc_product_vars.Identity-short):

  1. Download the Configure SCIM in PAM - Self-Hosted script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

     
    .\IdentityConfiguration.ps1 -portalUrl [PVWA URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] -cyberArkIdentityClientId [CyberArk Identity Client ID]

    Parameters:

    Parameter

    Description

    portalUrl

    The URL to your PVWA.

    Example: https://[put-your-subdomain-here]/PasswordVault

    cyberArkIdentityMetadataUrl

    CyberArk Identity OpenID Connect Metadata URL.

    Example: https://<Identity-subdomain>/op/.well-known/openid-configuration

    This is the parameter you saved while configuring CyberArk Identity, as described in Configure CyberArk Identity.

    CyberArkIdentityClientId

    CyberArk Identity's OpenID Connect Client ID.

    This is the parameter you saved while configuring CyberArk Identity, as described in Configure CyberArk Identity.

  3. When prompted, enter your PAM - Self-Hosted admin credentials.

Configure the IGA for PAM

Configure your IGA platform for PAM, according to the instructions of the IGA platform that you are using.

Migrate to the IGA platform

In order to support existing customers that want to replicate and use their data in the IGA system, an administrator must perform the following action for each Safe that you want to appear in the IGA system:

  • Add the identity-privilege-integration-user$ as a member with all Safe permissions (as a Safe owner).

Send requests to the CyberArk Identity SCIM server

To send requests to the CyberArk Identity SCIM server, see Manage PAM objects with SCIM endpoints.