Create security policies for SAML claims

This topic describes how to add security policies for your 3rd party applications (non-Identity apps) by assigning security layers to users with pre-defined SAML claims from your IdP.

Overview

SWS enables you to add your pre-defined SAML claims that you configured in any SSO web app and any non-CyberArk Identity IdP, and apply security layers to users associated with the claim.

Claims are sorted by priority, which can then be changed as needed. This enables you to decide which SWS security policy takes effect first if a user appears in two or more claims.

The UseCyberarkSws claim is the primary claim that users need so that SWS protections are enforced on their sessions. This claim is added when configuring SWS policy for third-party apps. Any claims you add are in addition to the primary claim, enabling you to create more granular security policies.

Add claims

  1. From the Secure Web Sessions portal, go the Application policies page, and select a 3rd-party application (non-Identity application).

  2. Click Add.

  3. In the Claim name field, add the name of your SAML claim after UseCyberarkSws +. The name must be identical to the name you put in your IdP and is case sensitive.

  4. In the Value field, enter the value you put in your IdP. The value must be identical to the value you put in your IdP.

    If you have a list of values in your IdP claim, at least one value from the list needs to be identical.

  5. Click Save.

    The new claim is added to the table with its details, and a number representing its priority. Security policies take effect according to this priority should a user appear in two or more claims.

  6. To reorder a claim, go to the claims table and drag-and -drop the claim in the sequence where you want it to take effect.

Set security layers for claims

  1. Go to the Application policies page, and select a 3rd-party application (non-Identity application).

  2. Click the row of the claim you want to set the security layers.

  3. Enable or disable the security layers as required, and click Save.

Edit claims

The UseCyberarkSws claim is the primary claim that users need so that SWS protections are enforced on their sessions. Therefore, you can edit the security layers applied to the primary claim, but you cannot edit its name or value, and it cannot be deleted.

Any additional claims you add can be fully edited or deleted.

To edit claims

  1. Go to the Application policies page, and select a 3rd-party application (non-Identity application).

  2. Click the row of the claim you want to edit.

  3. Edit the claim name or value, and click Save.The name and value must be identical to the name and value from your IdP. If you have a list of values in your IdP claim, at least one value from the list needs to be identical.

Manage application policies