Store Secured Items and business application credentials in the self-hosted PAM vault

This topic describes how to integrate your CyberArk Identity tenant with your Privileged Access Manager self-hosted Vault for the purpose of securely storing Secured Items (non-web app secrets) and business-related application credentials in the self-hosted Vault.

This provides added flexibility to retain secrets and user credentials in your self-hosted  PAM Vault while leveraging the existing user-friendly capabilities of auto-capture and credential form-fill when launching applications from the CyberArk Browser Extension, CyberArk Identity User Portal,  and the CyberArk Identity mobile app. Users can also remotely access these credentials without the need to connect to a corporate VPN or install any other agents.

CyberArk Workforce Password Management only manages credentials for non-privileged user accounts (Business Users) stored in the CyberArk PAM Vault. End-to-end encryption between an end user's browser and the CyberArk PAM Vault uses asymmetric RSA 2048 encryption and ensures that CyberArk Identity Cloud cannot decrypt business user credentials stored and fetched from the Vault during transit. Only the end user can view their business credentials that are stored in the CyberArkPAMVault.

Contact CyberArk Support or your Account Executive to enable end-to-end encryption for Secure Items.

Additionally, CyberArk Workforce Password Management does not have rights to read or manage the highly sensitive user credentials of privileged users that are also stored in the CyberArkPAMVault.

Additional licenses are required to enable the Workforce Password Management capability to store secrets and user credentials in PAM. Contact your CyberArk Account Representative for more information.

Prerequisites

Before you configure the CyberArk OIDC Trust App and configure PAM, make sure you have the following:

  • PVWA (Password Vault Web Access) component in PAM updated to version 12.1 or later.

  • PVWA URL for the PAM instance where you intend to store business user credentials. This URL is specified in the Resource application URL attribute of the CyberArk OIDC Trust App.

  • The following minimum CyberArk Identity Connector versions.

    connector version Purpose

    21.6

    Required with the API Proxy Service enabled to allow CyberArk Identity to invoke the corresponding PVWA REST APIs through the secure, VPN-less tunnel.

    22.1

    required for end-to-end encryption.

    22.3 Required to store non-web app secrets (Secured Items).

    See Install the CyberArk Identity Connector for more information.

    We recommend updating to the latest version of the connector to benefit from new features as they are introduced.

Configure CyberArk Identity

This section covers how to add the CyberArk OIDC Trust application in the CyberArk Identity Admin Portal and configure settings to authenticate to CyberArk PAM. 

Step 1: Add the CyberArk OIDC Trust application from the App Catalog.

You cannot add this application to the Admin Portal more than once.
  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. On the Search tab, enter CyberArk OIDC Trust in the Search field and click the search icon.

  3. Next to CyberArk OIDC Trust, click Add.

  4. In the Add Web App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The CyberArk OIDC Trust application opens to the Settings page.

Step 2: Configure the Trust settings.

  1. On the Trust page, enter the PAM URL in the Resource application URL field and in the Vault location URL.

    This is the URL for the PAM instance (not the PVWA sign in URL). For example, https://example.acme.com (and not https://example.acme.com/PasswordVault/V10).

  2. Configure the following:

    Field

    Description

    Select AD Forest configured for Privilege Access Security (PAS) *

    Select one or more AD forests that contain users common across CyberArk Identity and CyberArk PAM.

    For users who belong to other directories and AD forests that are not configured with CyberArk PAM, the application credentials are stored and retrieved from CyberArk Identity.
    Connectors to use with this service

    Select CyberArk Identity Connectors that have the API Proxy Service enabled. Select one of the following:

    • Any available

      Select this option to allow CyberArk Identity to randomly select one of the available connectors for your API Proxy configuration.

    • Choose

      Select this option to specify one or more CyberArk Identity Connectors to use for your API Proxy configuration. If you select more than one connector, CyberArk Identity randomly chooses one of the selected connectors to use for the application. Once the configuration is saved, each future API Proxy request uses a random connector from those selected, as long as the connector is online.

Step 3: Grant permissions to the app.

  1. On the Permissions page, click Add.

    The Select User, Group, or Role window appears.

  2. Select the user(s), group(s), or role(s) that you want to give permissions to, then click Add.

    Only users and groups that are common across the AD instances configured for CyberArk Identity and CyberArk PAM are considered for storing and retrieving the credentials from the PAM Vault.
  3. Click Save.

Step 4: Configure the CyberArk Identity script to recognize business users configured in PAM.

  1. On the Tokens page, replace the Custom Logic with the following script.

    if (Scopes.Contains("sharedcredentials")){

    setClaim('preferred_username', 'shared-credentials-service-user$');

    }

    else if (Scopes.Contains("bizappcredvault")){

    setClaim('preferred_username', LoginUser.Get('userprincipalname'));

    }

  2. (Optional) If you use a different user logon name property from the default, update the setClaim portion of the script so the property used for the user name format should match the property used in PAM.

    The default script present in the text panel in most cases works as is and does not need to be changed. If you use the short user name or a different user logon name property, such as sAMAccountName, you need to modify the default script.

    User name used to
    sign in to PAM

    Script

    Full user name (default)
    (for instance, adele@example.com)

    setClaim('preferred_username', LoginUser.Get('userprincipalname'));

    Short user name
    (for instance, adele)

    setClaim('preferred_username', LoginUser.Username);

    If you use a different user logon name property than those indicated above, make sure that the LoginUser.Get value is equal to the value you have indicated as the user logon name property. For instance, if the user logon name property maps to sAMAccountName, then set the claim to sAMAccountName:
    setClaim('preferred_username', LoginUser.Get('sAMAccountName'));
  3. Click Save.

Step 5: Review the configuration and continue with PAM configuration.

Review your settings to make sure that you have configured everything covered in this procedure, then continue with Configure PAM .

Configure PAM

To complete the integration you need to perform the following configuration steps for PAM.

Step 1: Download and run the CyberArk Identity and PAS integration configuration script.

  1. Download the CyberArk Identity and PAM integration configuration script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

    .\IdentityConfiguration.ps1 -portalUrl [PVWA URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] -cyberArkIdentityClientId [CyberArk Identity Client ID]

    The following table describes the parameters.

    Parameter

    Description

    portalUrl

    The URL for your PVWA instance.

    For example: https://[put-your-subdomain-here]/PasswordVault

    cyberArkIdentityMetadataUrl

    CyberArk Identity OpenID Connect Metadata URL. For example: https://<Identity-subdomain>/op/.well-known/openid-configuration

    This parameter is located in the CyberArk Identity OIDC Trust App > Trust page under the Identity Provider Configuration section.

     

    CyberArkIdentityClientId

    CyberArk Identity OpenID Connect Client ID.

    This parameter is located in the CyberArk Identity OIDC Trust App > Trust page under the Identity Provider Configuration section.

  3. When prompted, enter your PAM admin credentials.

Step 2: Create a service user.

The service user manages a PVWA Vault on behalf of the CyberArk Identity tenant. Instead of each user having their own Vault, a service user manages a Vault on behalf of all uses in your CyberArk Identity tenant. This greatly increases the number of credentials that you can store in the PVWA Vault.

  1. Download the script to create a service user from the CyberArk Marketplace.

  2. In PowerShell, run the following command.

    .\CreateWPMServiceUser.ps1 -pvwaUrl [PVWA URL]

    The following table describes the parameters.

    Parameter

    Description

    pvwaUrl

    The URL for your PVWA instance.

    For example: https://[put-your-subdomain-here]/PasswordVault

    The script creates the service user with the following Vault privileges.

    • Add Safes

    • Audit Users

    • Add/Update Users

    • Reset Users' Passwords

    • Activate Users

    By default, this service user becomes the owner of the following Safes.

    Each Safe can hold 20,000 accounts (app credentials or Secured Items). You can have up to 20,000 Safes.
    • the Safe named <tenant ID>, where <tenant ID> is your CyberArk Identity tenant ID (to store the admin added app creds)

    • the Safe named Identity_0000x , where x is incremented each time a new Safe is required (user-added credentials or Secured Items)

Step 3: Import the CyberArk WPM platform package into PAM.

The platform package for CyberArk WPM is required to store your users' business application credentials in the Privileged Access Manager self-hosted vault.

Refer to Manage platforms v10 interface for more information about platforms.

  1. Download the platform package from the CyberArk Marketplace.

  2. Import the platform package into the PVWA. For details, see Import a Platform Package.

Migration scenarios for existing user-added application credentials

CyberArk Identity supports the following two migration scenarios for user-added application credentials.

Migrating credentials for applications that you deployed and shared with the All users share one name option is not supported.

Scenario

Description

Existing CyberArk PAM customers with
business user credentials stored in the PAM Vault

Existing CyberArk customers who have their user credentials already stored in CyberArk PAM, can migrate to this solution without users re-registering their applications. When this solution is configured following the steps listed in previous sections and upon the first user sign in to the CyberArk Identity User Portal, user accounts stored in the CyberArk PAM are automatically migrated and represented as application tiles in the CyberArk Identity User Portal.

Only accounts that have a value for URL, username, and password (all three attributes) in the PAM Vault are considered for auto-migration. Also note that this scenario is limited to migrating the application account stored in the PAM Vault to the CyberArk Identity User Portal. User passwords remain in CyberArk PAM and are never copied over to CyberArk Identity.

If a migrated application has a corresponding application in the CyberArk Identity App Catalog, then the application is represented correctly, and users can launch and use the application without any additional configuration. If a migrated application does not have a corresponding application in the CyberArk Identity App Catalog, then the application is displayed with a generic application icon (see below).

In this case, CyberArk Identity does not auto-fill the credentials when users launch the application even when the application credentials are fetched from the Vault, since it does not have the login page information to auto-fill the username and password fields.

For applications migrated as a generic application, users can view and manually copy the credentials to the target web site to sign-in to the application. The Land & Catch feature (see Enable Land & Catch for your organization) of the CyberArk Identity Browser Extension captures the application login form details and offers the user the option to save the application in the User Portal. When a user saves the application, two tiles for the application are shown in the User Portal, the generic migrated application tile and the application tile captured using Land & Catch. Users can manually delete the generic application tile as needed and use the new application tile to launch the application. See Configure a generic application to auto-fill credentials at launch for details.

Existing CyberArk customers with
business user credentials stored in CyberArk Identity, but would like to move them to the PAM Vault

Existing CyberArk customers who have their user credentials stored in CyberArk Identity can migrate them to PAM Vault. When this solution is configured following the steps listed in the previous section, and on the first user launch of the CyberArk Identity User Portal, user credentials are read from CyberArk Identity and automatically migrated to the PAM Vault. Passwords are no longer stored in CyberArk Identity and are managed and fetched from the PAM Vault.