Configure MFA for certificate-based authentication

Enrolling an endpoint allows users to authenticate to the CyberArk Identity without passwords by using certificate-based authentication. In some cases you might want to enforce conditional multi-factor authentication (MFA) challenges on enrolled devices for additional security. For example, you can allow users with a low risk level to continue with certificate-based authentication, but enforce MFA for users with higher risk levels.

To configure MFA for certificate-based authentication

Step 1: Create a role.

The purpose of this role is to facilitate the application of the policy with the Admin Portal authentication settings to your users. Skip this step if your users are already in a role.

  1. Go to Core Services > Roles, then click Add Role.

  2. On the Description tab. complete the available fields and options.

    Field Description


    Enter a unique name for the Role.


    Enter a description for the Role's purpose.


    Select an Organization from the drop-down menu. Refer to Manage Organizations with Delegated Administrators for more information about Organizations.

    Role Type

    Select a Role type.

    Static Roles require you to manually add members. Dynamic Roles evaluate membership based on object attributes. You can create this logic with JavaScript.

  3. Click Members, then add members to the Role.

    The steps to add members to a Role are different depending on the type of Role.

    Click Add to add members to the Role.

    You can add CyberArk Cloud Directory users and external directory service users.

    1. Enter JavaScript in the Custom Logic box to add objects to the Role based on attribute values, then click Save.

      You can use attributes from either AD or CyberArk Cloud Directory (including Additional Attributes). Examples of attributes that you could use include co, Department, Location, Group membership, and Title.

      Click Load Sample to load an example script that you can start with. For example, there is a sample script that adds users with a specific value for the co attribute (AD) or Country attribute (CyberArk Cloud Directory).

      The following example shows the sample script that checks for the country code stored for a user.

      if(User.UserType == 'AD') { // User is an Active Directory user
          try {
              trace('Looking for property: co');
              if( == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('property: co not found');
      } else if(User.UserType == 'CUS') { // User is a cloud directory user
          try {
              trace('Looking for additional attribute: country_');
              if(User.Properties.Properties['country_'] == 'Aruba') {
                  return true;
          } catch (error) {
      		trace('additional attribute: Country not found');
      return false;
    2. Click Test User, then search for the user that you want to add to the Role and click Next.

      A window displays indicating whether or not the user would be a member based on your custom logic.

  4. Click Administrative Rights, then add appropriate Administrative Rights.

    Refer to Admin Portal administrative rights for a description of available Administrative Rights.

  5. Click Assigned Applications, then assign applications to Role members.

    Assigning applications to a Role enables you to automatically deploy a default set of applications to the members of the Role.

  6. Click Save to finish creating the Role.

Step 2: Create an authentication profile, selecting appropriate challenges from the Challenge 1 column.

Optionally, you can select challenges from the Challenge 2 column to create a third authentication factor.

If you set a pass-through duration, user's will be presented with the selected additional authentication challenges if they refresh the Admin Portal once the pass-through duration expires. However, users can still click through to other areas of the Admin Portal after the pass-through duration expires without re-authenticating .
  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Click Settings > Authentication.
  3. Click Add Profile on the Authentication Profiles page.
  4. Enter a unique name for each profile.
  5. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

    You can't select the same mechanism in both challenge menus. For example, if you select QR Code in either of the challenge columns under Multiple Authentication Mechanisms, you can't select it under Single Authentication Mechanism.

    RADIUS does not support FIDO2 authentication mechanisms.

    Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

    Authentication set Description
    Multiple Authentication Mechanisms

    You can require that the first challenge be the user’s account password, then for the second challenge users can choose between an email confirmation code, security question, or text message confirmation code. See Authentication mechanisms for information about each authentication mechanism.

    If you have multiple challenges, the CyberArk Identity waits until users enter all challenges before giving the authentication response (pass or fail). For example, if users enter the wrong password for the first challenge, the CyberArk Identity will not send the authentication failure message until after users respond to the second challenge.

    If users fail their first challenge and the second challenge is SMS, email, or phone call, the default configuration is that the CyberArk Identity will not send the SMS/email or trigger the phone call. Contact support to change this configuration.
    Single Authentication Mechanism

    Single authentication challenges are sufficient for users to log in without any additional challenges, even if you selected challenges from Multiple Authentication Mechanisms.

    For example: if you select Password for Challenge 1, Security Question(s) for Challenge 2, and QR Code from Single Authentication Mechanism, a user with an enrolled device can scan the QR Code with the CyberArk Identity mobile app to log in, bypassing the mechanisms selected from Multiple Authentication Mechanisms. If a user does not have an enrolled device, the user can log in by responding to the challenges selected from Multiple Authentication Mechanisms (Password and Security Question(s) in this example).

  6. (Optional) Select the pass-through duration.

    If users have already authenticated using one of the specified mechanism within this duration, then they will not be authenticated again. The default is 30 minutes.

    This pass-through option does not apply to Windows or Mac MFA logins, or RADIUS VPN connections; only the User Portal and the Admin Portal.
  7. Click OK.

Step 3: Enable the authentication factors that you plan to use.

ClosedSMS, Phone

  1. Verify that your users have a mobile phone number associated with their account.

    1. Log in to the Admin Portal.
    2. Click Core Services > Users.
    3. If you have installed the CyberArk Identity Connector to integrate Active Directory with CyberArk Identity, then you will see your Active Directory user accounts in this list.

    4. Click the relevant user name.
    5. The Account page shows the email address and mobile number associated with this account.

  2. For Active Directory users, you can define custom attributes in Active Directory and map them to the Mobile Number field. Updating the custom attribute in AD also updates the mapped Mobile Number field in the Admin Portal. Additionally, when you update the Mobile Number field, the mapped custom attribute field in Active Directory is also updated. To enable this feature and configure the mapping between the custom attribute in Active Directory and the Mobile Number field in CyberArk Identity, contact your CyberArk account representative.

    CyberArk Identity Admin Portal Domain administrative accounts have the permission to modify the custom attribute in Active Directory. See Manage domain administrative accounts.


  1. Log in to the Admin Portal

  2. Go to Core Services > Policies.

  3. Select a policy set or create a new one.

  4. Go to User Security Policies > OATH OTP.

  5. Select Yes in the Allow OATH OTP Integration drop down.

  6. Select Yes in the Enable auto-setup of OATH OTP in Identity app to allow users to automatically configure OATH OTP during device enrollment with the CyberArk Identity mobile app.

    This provides a more convenient enrollment experience for users who use the CyberArk Identity mobile app. If you expect users to use a third-party authenticator such as Google Authenticator, select the default value (--) or No.
  7. Click Save.

  8. Enable users to configure an OATH OTP client.
    1. Click User Account Settings.

      The User Account Setting window opens.

    2. Select Yes in the Enable user to configure an OATH OTP client.

    3. Enter a user-friendly name (for example the name of the OTP client used by your organization) in the OATH OTP Display Name text field. This name is what users will see.

    4. Select an authentication profile to require users to provide additional authentication before they can access the QR code.

    For desktop-based CyberArk Authenticator, do not configure any additional Authentication profiles. This field should be set to --.
  9. Click Save.

Step 4: Enable authentication policy controls and add an authentication rule for Certificate Authentication.

  1. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  2. In the Policy Settings tab, change the Policy Assignment to Specified Roles and then add the role created in Create a role.

  3. Click Authentication Policies > the Admin Portal.

  4. Select Yes in the Enable authentication policy controls drop-down.

  5. Clear the box for Certificate authentication bypasses authentication rules and default profile so that attempted logins matching the authentication rule are subject to the MFA challenges in your authentication profile.

  6. (Optional) Select Set identity cookie for connections using certificate authentication to set an identity cookie on enrolled devices that typically use ZSO.

    You can then use the presence of the identity cookie in your authentication rule as a condition of whether you enforce MFA or a more lenient authentication profile.

  7. (Optional) Select Connections using certificate authentication satisfy all MFA mechanisms to allow certificate authentication to substitute for the authentication profile on step-up challenges, such as requiring additional authentication for access to certain deployed applications.

  8. Click Add Rule to specify conditional access.

    The Authentication Rule window displays.

  9. Click Add Filter on the Authentication Rule window.

  10. Select Certificate Authentication from the filter drop-down menu, is used from the condition drop-down menu, and your authentication profile from the Authentication Profile menu.

  11. Click the Add button associated with the filter and condition, then click OK.

  12. Click Save.

Enrolled users using certificate-based authentication (ZSO) will now be challenged by your selected authentication factors before successfully signing in to the CyberArk Identity.