Add and configure the custom OpenID Connect application

This section covers how to add the custom OpenID Connect application to the Admin Portal and configure initial settings. For information about changing the Advanced script, see Customize the OpenID Connect Custom Logic script .

To add and configure a generic OpenID Connect application

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. Click Custom.

  3. On the Custom tab, next to the OpenID Connect application, click Add.
  4. In the Add Web App screen, click Yes to add the application.

    the Admin Portal adds the application.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Settings page.

  6. Enter the Application ID.
  7. Update the Name, Description, Category, and Logo as needed.

    Because this is a custom application, CyberArk recommends giving this application a unique name. You can also provide a custom application logo.

    The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

    You can customize the name and description for each supported language.

  8. (Optional) Click On enrolled mobile devices, open this application in the built-in browser (required for Derived Credential login) to authenticate with this application.

    See CyberArk-issued derived credentials for more information.

  9. Configure fields on the Trust page.

    For the following, copy the content from the application website to the Trust page.



    Resource application URL

    Enter the URL of your OpenID Connect application.

    This field is visible when you select one of the following options under Service Provider Configuration section:

    Login initiated by the app only - Enable this option only for an RP-initiated login where the relying party sends a login request to the authorization server.

    Login initiated by CyberArk Identity or the app - Enable this option for an OP-initiated login where the open ID provider authenticates the user and redirects to the resource URL.

    You can select or deselect the Show in user app list option to enable or restrict the user to launch the application in User Portal.

    Authorized Redirect URIs

    Enter all desired redirect URIs registered with the CyberArk Identity. At least one redirect URI is required.


    Open ID Client Secret

    Enter the Client Secret established between the CyberArk Identity and application.

    For the following, copy the content from the Trust page to the application website.



    OpenID Connect Client ID

    Copy the Client ID and paste it into the appropriate field on the application website.

    OpenID Connect Metadata URL

    Copy the metadata URL and paste it into the appropriate field on the application website.

    OpenID Connect Issuer URL

    A URL unique to this application profile. This value is the entity ID used in the assertion to identify the identity provider attempting to authenticate. The web application doesn’t contact this URL so it doesn’t need to be functional.

  10. On the Tokens page, set the token lifetime for Access Tokens and Refresh Tokens (if you choose to issue Refresh Tokens).

    The default Access Token lifetime is five hours.

    If you issue Refresh Tokens, the default lifetime for a Refresh Token is 365 days. Refresh Tokens are exchanged for new access tokens, allowing your application to have a valid access token without additional user interaction.

  11. On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

    The options are as follows:

    • Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the CyberArk Cloud Directory.
    • Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.
    • Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:

      LoginUser.Username = LoginUser.Get('mail')+'.ad';

      The above script instructs the CyberArk Identity to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is then the CyberArk Identity uses For more information about writing a script to map user accounts, see the SAML application scripting.

  12. (Optional) Click App Gateway to allow users to securely access this application outside of your corporate network.

    For detailed configuration instructions, see Configure an application to use the App Gateway.

    The App Gateway feature is a premium feature and is available only in the CyberArk Identity App+ Edition. Please contact your CyberArk representative to have the feature enabled for your account.
  13. (Optional) Click Workflow to set up a request and approval work flow for this application.

    See Manage application access requests for more information.

  14. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.
  15. Click Save.

Next, you’re ready to edit the Advanced Script (see Customize the OpenID Connect Custom Logic script ).