Configure SWS protections for applications

This topic describes how to configure SWS protections to work with any SSO web app and any non-CyberArk Identity IdP, such as Okta and Microsoft Azure.

For details on how to add SWS protections to CyberArk Identity SSO applications, see Enable Secure Web Sessions on CyberArk Identity SSO applications

How it works

  1. The administrator creates a SAML-based application in the IdP for end users to access, and configures the application's SAML settings.

  2. The administrator modifies the SAML-based application with data provided from SWS.

  3. The end user logs in to the organization IdP (e.g. Okta, Microsoft Azure), and launches the target application that is integrated with SWS protection layers.

  4. The end user is redirected to the SWS security layers verification window.

  5. Upon successful verification, the application is launched with SWS security layers enforced, using the SWS extension browser.

Configure an application with SWS protections

In the SWS Admin portal, go to the Application policies page, and click Configure application to launch the wizard.

If you are adding an application policy for the first time, click Configure SWS protections for an app using any other IdP to launch the wizard.

You can click the Continue later button at the bottom of the wizard page at any time to save your progress as a draft.

Step 1: Set the general details

  1. Enter a meaningful name for the application. This name will appear in the SWS Admin portal.

  2. (Optional) Upload a logo for the application.

    • Maximum size - 150 KB.

    • Supported file formats - JPEG, PNG and BMP.

  3. Select your IdP, and click Next.

    After you proceed to the next step, you will not be able to edit the IdP selection.

Step 2: Get target application details

In this step you need to provide the application's SAML service provider metadata. The specific information and configuration field names might vary for each application.

  1. Upload the application service provider metadata using a URL or XML file, or manually enter the details.

    The following metadata needs to be provided from the target app:

    • Entity ID / Issuer / Audience

    • Assertion Consumer Service URL

    • Single Logout URL

    • Target application signing certificate (PEM or CER format)

    When you upload the metadata, the details in the manual section are populated with the details. These details are read-only, unless you select the manual radio button.

  2. Click Next.

Step 3: Get IdP SSO application details

In this step you need to provide the IdP SSO app metadata. The specific information and configuration field names might vary for each application.

  1. Upload the IdP SSO app metadata using a URL or XML file, or manually enter the details.

    The following metadata needs to be provided from the IdP:

    • Identifier

    • Login URL

    • Logout URL

    • Identity Provider signing certificate (PEM or CER format)

    When you upload the metadata, the details in the manual section are populated with the details. These details are read-only, unless you select the manual radio button.

  2. Click Next.

Step 4: Update IdP SSO app with details from SWS

In this step you need to copy and paste the SWS details into your IdP SSO application settings.

  1. Click Copy to clipboard to copy each of the details into your application settings.

    In the wizard, you can refer to the diagram and highlighted areas for indication where to paste the details in your IdP settings. (Relevant for Okta and Microsoft Azure).

    When copying the custom UseCyberArkSWS attributes and claim statement into your IdP settings, make sure its applied to your app users.

    User login requests to this application will be routed through SWS protections, and applied and validated, only for the users that have this custom attribute.

  2. When you've completed copying and pasting all the details, select the check box to confirm your IdP application details were updated.

  3. Click Next.

Step 5: Update target app (service provider) with details from SWS

In this step you need to copy and paste the SWS details into your target application settings (service provider).

  1. Click Copy to clipboard to copy each of the details into your application settings.

    In the wizard, you can refer to the diagram and highlighted areas for indication where to paste the details in your application settings. (Relevant for Okta or Microsoft Azure).

  2. When you've completed copying and pasting all the details, select the check box to confirm your target application details were updated.

  3. Click Finish.

When all the steps are validated, all user login requests to this application are routed through Secure Web Sessions.

By default, only the Step Recording security layer is activated. To change the default, or add security layers for this app, see Edit security layers per application.