Aqua Security Single Sign-On (SSO) integration

You can integrate the Aqua Security application with CyberArk Identity to enable use of SAML SSO.

Aqua Security SSO supported features

This application template supports the following features:

  • IdP-initiated SAML SSO access through CyberArk Identity User Portal

  • SP-initiated SAML SSO access directly through the Aqua Security web application

You can choose one or both methods.

Before you begin

Make sure you have the following information.



Aqua Security domain SSO URL


For example:

Your company subdomain


For example:

SP Entity ID


For example:

Assertion Consumer Service (ACS) URL


Confirm the following:

  • You have an active Aqua Security account with administrator rights for your organization.

  • Acqua Security users who will access CyberArk Identity User Portal through SSO have already been added to CyberArk.

Configure the Aqua Security app template in the Identity Administration portal

Perform these steps in the Identity Administration portal to configure the Aqua Security app template for SSO.

Step 1: Add the Aqua Security web app template.

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure the Trust page.

  1. Select Trust from the menu.

  2. In the Identity Provider Configuration section, select Metadata.

  3. Open the Signing Certificate field and click Download to download the certificate. Then click Download Metadata File. You will need these files later when you configure Aqua Security.

  4. In the Service Provider Configuration section, select Manual Configuration. Enter the SP Entity ID and Assertion Consumer Service (ACS) URL (from the Aqua Security application), then click Save.

Step 3: Configure the SAML Response page.

  1. Verify the following attributes with the Aqua Security attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

    Attributes are case-sensitive.

    Attribute Name Attribute Value
    aqua_role LoginUser.Role_Names
  2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 4: Configure the Permissions page to grant Aqua Security users SSO access.

Grant SSO access to Aqua Security by assigning permissions to users, groups, or roles. Add two users. One user must be an administrator who is mapped to the aqua_role attribute, while the second user can have any role. The users must already exist in Aqua Security.

Perform these steps to define permissions for each user.

  1. On the Permissions page, click Add.

    The Select User, Group, or Role window appears.

  2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want, then click Save.

Step 5: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure Aqua Security for SAML single sign-on

Perform these steps to configure the Aqua Security application template for SSO.

  1. Sign in to Aqua Security as the administrator.

  2. Go to Administration > Integrations > SSO Authentication.

  3. Enter the following values in the corresponding fields in Aqua Security:


    Corresponding Field in Aqua Security

    Single Sign-On URL (copy from IdP)

    Identity Provider Single Sign-On URL

    IdP Entity ID/Issuer (copy from IdP)

    Identity Provider Issuer


    Aqua Single Sign-On URL


    For example:

    Service Provider Issuer

  4. Upload the certificate file you downloaded from CyberArk.

  5. Click Save.

Test the Aqua Security SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and Aqua Security, users can benefit from IdP-initiated and SP-initiated SSO.

To test IdP-initiated SSO:

  1. Sign in to CyberArk Identity using the non-administrative user account you just added.

  2. Click the Aqua Security application tile to launch Aqua Security in a new tab and automatically sign in.

To test SP-initiated SSO:
  1. Go to your organization's Aqua Security SSO URL. For example:

  2. Sign in as your test user.

Additional information

See your Aqua Security documentation for additional resources.