Asentinel SAML Single Sign-On (SSO)

Asentinel offers both IdP-initiated SAML SSO (for SSO access through the CyberArk Identity User Portal) and SP-initiated SAML SSO (for SSO access directly through the Asentinel web application). You must select either IdP-initiated or SP-initiated on the Asentinel configuration form during SAML SSO configuration. The following is an overview of the steps required to configure the Asentinel Web application for single sign-on (SSO) via SAML.

  1. Prepare for Asentinel single sign-on (see Asentinel requirements for SSO).

    Request a SAML configuration form from Asentinel. You will need to fill it out and send it back to Asentinel to configure SAML SSO.
  2. In the Admin Portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configure Asentinel in Admin Portal.

  3. Configure the Asentinel application for single sign-on.

    To configure Asentinel for SSO, contact Asentinel and provide them with the necessary configuration content (for details, see Contact Asentinel to enable SSO).

    After you are done configuring the application settings in the Admin Portal and the Asentinel application, users are ready to launch the application from the CyberArk Identity User Portal.

Asentinel requirements for SSO

Before you configure the Asentinel web application for SSO, you need the following:

  • An active Asentinel account with administrator rights for your organization.
  • Contact information for Asentinel support (to request the Asentinel SAML configuration form and to enable the SSO feature for your account).
  • Asentinel SAML configuration form available from Asentinel.
  • A signed certificate.
  • You can either download one from Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about Asentinel

Each SAML application is different. The following table lists features and functionality specific to Asentinel.



Support details

Web browser client



Mobile client



SAML 2.0



SP-initiated SSO


For Asentinel SSO, you need to select either SP-initiated or IdP-initiated SSO. For SP-initiated SSO, users may go directly to the Asentinel URL and then use the CyberArk Identity SSO to authenticate.

IdP-initiated SSO


For Asentinel SSO, you need to select either SP-initiated or IdP-initiated SSO. For IdP-initiated SSO, users log in to Asentinel through the CyberArk Identity User Portal.

Force user login via SAML only



Separate administrator login
after SSO is enabled



User or Administrator account lockout risk


There is a risk of being locked out of your account if users are forced to log in using SSO only. Contact Asentinel; they may need to disable SSO temporarily to bypass the lockout.

Automatic user provisioning



Multiple User types



Self-service password



Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configure Asentinel in Admin Portal


Contact Asentinel to enable SSO

Asentinel provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see

If your Asentinel application supports SCIM, you can set it up to enable provisioning by entering the Access Token and SCIM URL.

For more information about provisioning your app, see Provision accounts with SCIM.

For more information about Asentinel

For more information about configuring Asentinel for SSO, contact Asentinel Support.