Add user password applications

Some web applications are configured for user name and password authentication only. Use this option if the application only supports user name and password authentication or if you don’t want to configure the application for SAML SSO at this time.

To add and configure a user password application in the Identity Administration portal

1. In the Identity Administration portal, click Apps, then click Add Web Apps.

   

   The Add Web Apps screen appears.

2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

   

3. Next to the application, click Add.

4. In the Add Web App screen, click Yes to confirm.

   Identity Administration portal adds the application.

5. Click Close to exit the Application Catalog.

   The application that you just added opens to the Description page.

   The description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Configure Single Sign-On (SSO) for the latest information.

6. (Optional) On the Application Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.

   See CyberArk-issued derived credentials for more information.

7. (Optional) On the Description page, you can change the name, description, and logo, and you can add notes for the application. For some applications, the name cannot be modified.

   

   The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the User Portal.

   Refer to Change the app name, description, or logo, and add notes for more information.

8. On the User Access page, select the role(s) that represent the users and groups that have access to the application.

   When assigning an application to a role, select either Automatic Install or Optional Install:

   • Select Automatic Install for applications that you want to appear automatically for users.
   • If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.
9. (Optional) On the Policy page, specify additional authentication controls for this application.

   1. Click Add Rule.
      The Authentication Rule window displays.

   

   2. Click Add Filter on the Authentication Rule window.

   3. Define the filter and condition using the drop-down boxes.
      For example, you can create a rule that requires a specific authentication method when users access the CyberArk Identity from an IP address that is outside of your corporate IP range. Supported filters are:

      Filter	Description	Conditions available
      Identity Cookie	The cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in.	Is present Is not present
      Device OS	The operating system of the device a user is logging in from.	equal to not equal to
      Browser	The browser used for opening the CyberArk Identity portal.	equal to not equal to
      Role	CyberArk Identity roles that a user belongs to. If a user belongs to multiple roles, the authentication rule that comes first (highest priority on top) is honored. If a role is renamed following the creation of an authentication rule using Role as a filter, the authentication rule will automatically update with the new role name. If a role is deleted, the portion of the any authentication rule using that role as a filter will also be deleted. This filter is only applicable to managing web application access. Contact support if Role does not display in your menu. This filter requires tenant configuration.	equal to not equal to
      Country	The country based on the IP address of the user computer.	equal to not equal to
      Risk Level	Risk Level: The authentication factor is the risk level of the user logging on to the User Portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter requires additional licenses. If you do not see this filter, contact CyberArk support. The supported risk levels are: Non Detected -- No unexpected activities are detected. Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup. Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup. High -- Strong indicators that the requested identity activity is an anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced. Undetermined -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected. Additional licenses might be required to enable this feature. Contact your CyberArk account representative for more information. The following video illustrates how to create an authentication rule based on risk level. nnoz0oewz6	equal to not equal to
      Managed Devices	Your device is considered managed under the following circumstances: It is enrolled to CyberArk Identity for device management. A device that is enrolled for only single sign-on or endpoint authentication is not considered a managed device. For more information about the difference, see Mobile Device Management or single sign-on only. It is enrolled to a supported Unified Endpoint Manager (UEM). It is compliant with policies defined by a UEM. Compliance means that a UEM is enrolled and conforms to compliance rules defined by a third-party. For more information, see Configure access based on a third-party UEM trust.	enrolled to not enrolled to compliant with not compliant with
      Certificate Authentication	Whether you use a digital certificate issued by your organization’s trusted certificate authority. You can upload a certificate using the Identity Administration portal > Settings > Authentication > Certificate Authorities. Users can also individually use CyberArk as their trusted certificate authority and automatically install the digital certificate by enrolling their devices. For example, if you configure an authentication rule to use the Certificate Authentication condition, then CyberArk Identity checks for a digital certificate issued by a trusted certificate authority and enforces the specified authentication profile before allowing access to this application. CyberArk support must enable the Certificate Authentication filter for your company.	is used is not used

10. Click the Add button associated with the filter and condition.
11. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.
    The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles
12. Click OK.
13. (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.
    If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

14. Click Save.
    If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Application access policies with JavaScript.

    If you left the Apps section of the Identity Administration portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in the Identity Administration portal.

15. On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

    

    The options are as follows:

    • Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from CyberArk Cloud Directory.

      For Web - User Password applications, selecting this option allows an additional option to let Active Directory users log in using Active Directory credentials. Select the Use the login password supplied by the user (Active Directory users only) option for every Web - User Password application that you want users to log in to using Active Directory credentials.

    • Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.
    • Prompt the user for their user name: Use this option if you want users to supply their own user name and password. The first time a user launches the application, they enter their login credentials for that application. The CyberArk Identity stores the user name and password and the next time the user launches the application, the CyberArk Identity logs the user in automatically.

    • Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:

      LoginUser.Username = LoginUser.Get('mail')+'.ad';

      The above script instructs the CyberArk Identity to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is Adele.Darwin@acme.com then the CyberArk Identity uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the User-password application scripting.

16. (Optional) On the Advanced page, you can edit the script that provides the login information to the application. In most cases, you don’t need to edit this. For details, see the User-password application scripting.
17. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

18. (Optional) Click Workflow to set up a request and approval work flow for this application.

    See Manage application access requests for more information.

19. Click Save.