Configure SAML authentication
This topic describes how to configure SAML authentication in Privilege Cloud and in your IdP.
Overview
SAML authentication enables you to implement an Identity Provider (IdP) solution and benefit from an SSO workflow across multiple domains.
After you configure SAML authentication, all users can use this authentication method. Whether they have been provisioned using LDAP integration or were created manually as CyberArk users.
Privilege Cloud supports SAML version 2.0.
To configure SAML authentication you will need the assistance of CyberArk support.
Before you begin
To use SAML authentication in Privilege Cloud, users must first be defined in Privilege Cloud. You can do this in the following ways:
-
Integrate with your LDAP server (recommended). For details, see Connect your LDAP directory server and LDAP integration.
-
Create CyberArk users in Privilege Cloud with identical details as those who will access Privilege Cloud via SAML authentication. For details, see Create CyberArk users.
Provide information to CyberArk support
CyberArk support requires the following information for configuring SAML authentication.
-
The IdP metadata.xml file and the Audience value as defined in the IdP (see Audience).
-
or, if not available, the following fields are mandatory:
|
Parameter |
Details |
|---|---|
| BaseURL | The URL of your IdP. |
| IdentityProviderLoginURL | The login URL of your IdP. |
| IdentityProviderCertificate |
The base 64 text representation of the certificate that is configured for your IdP as the SAML response signing certificate. This is used to verify the authenticity of the responses. |
|
Audience |
The value defined in the IdP. For details, see Audience. |
|
PartnerIdentityProvider Name |
The IdP identifier that enables the Privilege Cloud Portal to identify the IdP. Also known as the EntityID of the IdP. |
Configure the IdP
Follow the instructions in the following table:
|
Assertion |
Privilege Cloud supports only one assertion. Make sure only one assertion is configured in your IdP. |
|
Assertion Consuming URL |
https://<Privilege Cloud Portal DNS or IP>/PasswordVault/api/auth/saml/logon Note: Assertion Encryption is not supported. |
|
SAML Identity Location |
Make sure that your IdP specifies Identity in the NameIdentifier element of the Subject statement. The user name is located in the <Subject> statement of the assertion. |
|
Secure hash algorithm |
Use one of the following hash algorithms:
This algorithm is used to sign the responses.xml. |
|
Non-signed requests |
Make sure that the IdP is set to accept non-signed requests. |
|
User name |
Configure the IdP to return the user name inside the NameID tag. Privilege Cloud supports the unspecified NameID format. |
|
The value used by the IdP to identify the Privilege Cloud Portal as a relying party. |
