Privileged Session Management (PSM) - Identity Administration connector

This topic describes how to configure the Privileged Session Management (PSM) - Identity Administration connection component, which enables CyberArk Cloud Directory users to run secure connection sessions to the CyberArk Identity Security Platform Shared Services.

In this topic, the connector component is referred to as PSM - Identity Administration.

Prerequisites

Supported PSM versions:
- 10.5 and up
- If MFA is required - v12.3 and up
Set up your Privilege Cloud to work with web applications version 13.2 (13.2.0.125) and above. See Web applications for PSM.
Requires .NET Framework v4.8. If using a PSM with a version older than v10.5, the .NET Framework v4.8 must be installed on the PSM machine as well.
Import and set up Identity Administration credential management plugin. See Identity Administration

In case MFA is required for the connecting user, following are the minimum requirements:

OATH OTP and Password are configured for the target device

In Identity Administration, select Settings>Authentication.
In Authentication Profiles, open the profile used for the connecting user.
For both Challenge 1 and Challenge 2, ensure the following are selected:
- OATH OTP Client
- Password

For details on configuring authentication profiles, see Configure MFA for Identity Administration.

Set up the PSM Identity Administration connection component
1. In CyberArk Marketplace, download the PSM Identity Administration connection component. The connector zip file is downloaded.
2. Associate the PSM Identity Administration connection component with the related Identity Administration plugin you set up as part of the Prerequisites.
  
  See Associate PSM connectors with the platform.
  
  The PSM Identity Administration connection component zip file is imported to the PSM machine, and extracted dll files are stored in [PSM installation folder]/Components/Connectors/PSM-CyberArkIdentitySecurity/.
3. In the PSM machine:
  
  Copy the extracted dll files from [PSM installation folder]/Components/Connectors/PSM-CyberArkIdentitySecurity/ to [PSM installation folder]/Components folder.

Set up Identity Administration accounts in the Privilege Cloud Portal

Step 1: Add an Identity Administration target account in the Privilege Cloud Portal

In the Privilege Cloud PortalAccounts View page, click Add account, and select the following:
- System type: Application
- Platform: CyberArk Identity Security
- Safe: the relevant Safe.

In the account's Define properties tab, set the following parameters:

Parameter	Definition
Username	The user's full name in Identity Administration.
Address	The platform address (without the https prefix): <subdomain>.cyberark.cloud
Password	According to your organization's password policy.

Click Add.

Step 2: Create a logon account of any type in the Privilege Cloud Portal

In the Privilege Cloud Portal Account page, click Add account, and select any system type, platform, and Safe.
In the account's Define properties tab, set the Password as follows:
- The MFA key in hex string format.
- This is the same key provided in Identity Administration > Settings>Authentication > OATH Tokens. The key is in the imported CSV file, in the Secret Key (HEX) column. See Import OATH tokens in bulk.
Click Add.

Step 3: Attach the logon account to the Identity Administration account

In Accounts View, access the target account's Details tab.
Attach the Identity Administration account as the logon account to the target account.

Linked Accounts

The PSM Identity Administration connection component uses the following linked account:

Logon account

Supported	Required	Platform	Permissions
Yes	Yes Only if MFA is enabled for the target account.	Any	N/A

Supported

Required

Platform

Permissions

Yes

Only if MFA is enabled for the target account.

Any

N/A

Connection component settings in the Privilege Cloud Portal

The following parameters are specific to the PSM Identity Administration connection component. These are in addition to general parameters that are common to all connection components. For general parameters, see Connection Component Configuration.

Root level parameters

Parameter	Description
ID	A unique ID that identifies the connection component. Accepted value: String Default value: PSM-CyberArkIdentitySecurity
DisplayName	The name to be displayed in the connection selection. Accepted value: String Default value: CyberArk Identity Security

Parameter

Description

A unique ID that identifies the connection component.

Accepted value: String

Default value: PSM-CyberArkIdentitySecurity

DisplayName

The name to be displayed in the connection selection.

Accepted value: String

Default value: CyberArk Identity Security

Target settings > Client specific parameters

Parameter	Description
ActionTimeout	The maximum number of seconds to wait for an action to complete. Accepted value: Positive number Default value: 10
PageLoadTimeout	The maximum number of seconds to wait for a page to load. Accepted value: Positive number Default value: 30
BrowserPath	Path to the browser exe file. Accepted value: Full path
DriverFolder	Folder where the drive is located.
RunValidations	Specifies if the validations defined in WebFormFields are run. If set to "Yes", validations are required. Accepted value: Yes/No Default value: No
PreconnectDllName	The name of the PreConnect DLL file. Default value: CyberArk.PSM.CyberArkIdentitySecurity.dll
PreconnectParameters	The parameters that are delivered to PreConnect DLL. Default values: Username, Password, Address, AllowedTenantDomains, LogonAccount_Password
AllowedTenantDomains	The list of supported CyberArk platform domain suffixes. Value separator: \| Default value: cyberark.cloud

Target settings > Web form settings

Parameter	Description
LogonURL	The address of the web application. Accepted value: The address of the web application. Default value: https://&IdaptiveURL&/my?Auth=&AuthToken&
WebFormFields	Describes the list of login actions. Accepted value: List of commands Default value: (Navigate=https://{address}/) //^[@data-login-validation='valid'^] > (Button) (searchby=xpath) //^[@data-login-validation='valid'^] > (Validation) (searchby=xpath)
EnforceCertificateValidation	Whether or not PSM validates target website certificates when initiating connections. This enables the PSM to connect to local websites that do not have valid certificates, such as LAN applications with self-signed certificates. To connect to local websites that use self-signed certificates, set to No. Accepted value: Yes/No Default value: Yes

Parameter

Description

LogonURL

The address of the web application.

Accepted value: The address of the web application.

Default value: https://&IdaptiveURL&/my?Auth=&AuthToken&

WebFormFields

Describes the list of login actions.

Accepted value: List of commands

Default value: (Navigate=https://{address}/)

//*^[@data-login-validation='valid'^] > (Button) (searchby=xpath)

//*^[@data-login-validation='valid'^] > (Validation) (searchby=xpath)

EnforceCertificateValidation

Whether or not PSM validates target website certificates when initiating connections.

This enables the PSM to connect to local websites that do not have valid certificates, such as LAN applications with self-signed certificates. To connect to local websites that use self-signed certificates, set to No.

Accepted value: Yes/No

Default value: Yes