ITRP SAML Single Sign-On (SSO)

The following is an overview of the steps required to configure the ITRP Web application for single sign-on (SSO) via SAML. ITRP offers both IdP-initiated SAML SSO (for SSO access through the user portal or CyberArk mobile applications) and SP-initiated SAML SSO (for SSO access directly through the ITRP web application). You can configure ITRP for either or both types of SSO.

  1. Prepare ITRP for single sign-on (see ITRP requirements for SSO).

  2. In the Admin Portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see Configure ITRP in the Admin Portal.

  3. Configure the ITRP application for single sign-on.

    You will need to copy some settings from Application Settings in the Admin Portal and paste them into fields on the ITRP website. For details, see Configure ITRP on its web site

After you are done configuring the application settings in the Admin Portal and the ITRP application, users are ready to launch the application from the CyberArk Identity User Portal.

ITRP requirements for SSO

Before you configure the ITRP web application for SSO, you need the following:

  • An active ITRP account with administrator rights for your organization.

  • A signed certificate.

  • You can either download one from the Admin Portal or use your organization’s trusted certificate.

  • Contact information for ITRP support (to enable and test the SSO feature on your account).

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about ITRP

Each SAML application is different. The following table lists features and functionality specific to ITRP.



Support details

Web browser client



Mobile client



SAML 2.0



SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only


Username-password login remains available after SSO is enabled.

Separate administrator login after SSO is enabled



User or Administrator lockout risk


A lockout bypass URL is available after configuration on https://<your_subdomain> under Settings > Single Sign-On. Make a note of this URL in case it is needed.

Automatic user provisioning



Multiple User Types


Admin user

End users

Self-service password


Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range


You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configure ITRP in the Admin Portal

Configure ITRP on its web site

For more information about ITRP

For more information about configuring ITRP for SSO, contact ITRP support.