KeyScaler SAML Single Sign-On (SSO) integration

This topic describes how to configure KeyScaler for Single Sign-On (SSO) in CyberArk Identity using SAML.

KeyScaler SSO supported features

This application template supports the following features:

  • IdP-initiated SSO

  • SP-initiated SSO

You can choose one or both methods.

Before you begin

Obtain the following information from the KeyScaler application.

Name Format

KeyScaler Domain (single sign-on URL)

https://<organizationName>.keyscaler.com/cp/acs

For example: https://cyberark.keyscaler.com/cp/acs

SP Entity ID

https://<organizationName>.keyscaler.com/cp/metadata

For example: https://cyberark.keyscaler.com/cp/metadata

Make sure the administrators and users who will use SSO have already been added to KeyScaler and to CyberArk Identity.

Configure the KeyScaler application template in the Identity Administration portal

Step 1: Add the KeyScaler web app template

  1. In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

    Add a web app screen

  2. On the Search page, enter the application name in the Search field and click the search button.

  3. Next to the application name, click Add.

  4. On the Add Web App page, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Step 2: Configure Trust settings

  1. Go to the Trust tab.

  1. In the Identity Provider Configuration section, select Manual Configuration. Copy and save the following information for later use:

    • IdP Entity ID

    • SAML Issuer URL

    • Remote Logout URL

    • Signing certificate (download)

  2. In the Service Provider Configuration section, select Manual Configuration. Enter the following values and click Save after you finish. Obtain these values from the KeyScaler application.

    Setting Value

    SP Entity ID

    https://<organizationName>.keyscaler.com/cp/metadata

    For example: https://cyberark-trial.keyscaler.com/cp/metadata

    Assertion Consumer Service (ACS) URL

    https://organizationName.keyscaler.com/cp/acs

    For example: https://cyberark-trial.keyscaler.com/cp/acs

    NameID Format

    emailAddress

    Single Logout URL

    https://<organizationName>.cp.keyscaler.com/cp/sls

    For example: https://cyberark-trial.cp.keyscaler.com/cp/sls

Step 3: Configure SAML Response settings

  1. Go to the SAML Response tab.

  1. Verify the following attributes with the KeyScaler attribute name in the Attribute Name column and the CyberArk attribute in the Attribute Value column.

    Attributes are case-sensitive.

    Attribute Name Attribute Value
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress LoginUser.Email

  2. Map any other attributes that you want to pass in the SAML response, then click Save.

Step 4: Configure permissions to grant KeyScaler users SSO access

Grant SSO access to KeyScaler by assigning permissions to users, groups, or roles.

  1. On the Permissions page, click Add.

  2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

    The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

  3. Select the permissions you want and click Save.

    Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

    Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

Step 5: Review and save.

Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.

Configure KeyScaler for SAML single sign-on

Perform these steps in KeyScaler to configure the KeyScaler app template for SSO.

  1. Sign in to KeyScaler as an administrator, then go to <organizationName> > Manage IdP.

  2. Copy and paste values from the CyberArk IdP configuration into the following fields.

    CyberArk IdP Value

    KeyScaler field
    IdP Entity ID Login URL
    Remote Logout URL Loug Out URL
    SAML Issuer URL Issuer

  1. In the Certificate field, upload the signing certificate file that you downloaded from the CyberArk IdP configuration.

  2. Click Update.

Test the SSO configuration

Now that you have finished configuring the application template settings in the Identity Administration portal and KeyScaler, KeyScaler users can benefit from IdP-initiated or SP-initiated SSO.

To test IdP-initiated SSO:

  1. Sign in to CyberArk Identity with a user account that exists both the KeyScaler application and CyberArk Identity.

  2. Click the KeyScaler application tile to launch KeyScaler in a new tab and automatically sign in.

To test SP-initiated SSO:

  1. Go to https://<organizationName>.keyscaler.com/cp/

  2. Authenticate to the CyberArk IdP.

    You are redirected to the KeyScaler application.