Configure SWS policy for third-party IdP apps

This topic describes how to configure protections via the SWS Authentication Router to work with any SSO web app and any non-CyberArk Identity IdP, such as Okta and Microsoft Azure.

For details on how to add SWS protections to CyberArk Identity SSO applications, see Configure SWS policy for CyberArk Identity SSO apps

How it works

  1. The administrator creates a SAML-based application in the IdP for end users to access, and configures the application's SAML settings.

  2. The administrator modifies the SAML-based application with data provided from SWS.

  3. The end user logs in to the organization IdP (e.g. Okta, Microsoft Azure), and launches the target application that is integrated with SWS protection layers.

  4. The end user is redirected to the SWS security layers verification window.

  5. Upon successful verification, the application is launched with SWS security layers enforced, using the SWS extension browser.

Configure an application with SWS protections

In the SWS Admin portal, go to the Application policies page, and click Configure application to launch the wizard.

If you are adding an application policy for the first time, click Configure SWS protections for an app using any other IdP to launch the wizard.

You can click the Continue later button at the bottom of the wizard page at any time to save your progress as a draft.

Step 1: Set the general details

  1. Enter a meaningful name for the application. This name will appear in the SWS Admin portal.

  2. (Optional) Upload a logo for the application.

    • Maximum size - 150 KB.

    • Supported file formats - JPEG, PNG and BMP.

  3. Select your IdP, and click Next.

    After you proceed to the next step, you will not be able to edit the IdP selection.

Step 2: Get target application details

In this step you need to provide the target application (Service Provider) SAML details. The specific values and configuration field names might vary for each application.

  1. Upload the application service provider metadata using a URL or XML file, or manually enter the details.

    The following values need to be provided from the target app:

    • Entity ID / Issuer / Audience

    • Assertion Consumer Service URL

    • Single Logout URL

    • Target application signing certificate (PEM or CER format)

    When you upload the metadata, the details in the manual section are populated with the details. These details are read-only, unless you select the manual radio button.

  2. Click Next.

Step 3: Get IdP SSO application details

In this step you need to provide the IdP SSO app metadata. The specific information and configuration field names might vary for each application.

  1. Log in to Okta as an admin.

  2. Go to Applications, and select an application.

  3. Select the Sign On tab. On the right side of the page, click the View SAML setup instructions button.

  4. Copy the following data

    • Identity Provider Single Sign-On URL

    • Identity Provider Issuer

    • (Optional) Identity Provider Single Logout URL

    • Identity provider signing certificate

  5. Go to the SWS portal, and upload the IdP SSO app metadata using a URL or XML file, or manually enter the details.

    When you upload the metadata, the details in the manual section are automatically populated. These details are read-only, unless you select the manual radio button.

  6. Click Next.

  1. Log in to Microsoft Azure as an admin.

  2. Go to the Enterprise applications service and select an SSO application.

  3. Open the Set up single sign tile.

  4. From the number 3 SAML Certificates section, download the Identity provider signing certificate.

  5. From the number 4 Set up <app name> section, copy the following data.

    • Login URL

    • Azure AD Identifier

    • (Optional) Logout URL

  6. Go to the SWS portal, and upload the IdP SSO app metadata using a URL or XML file, or manually enter the details.

    When you upload the metadata, the details in the manual section are automatically populated. These details are read-only, unless you select the manual radio button.

  7. Click Next.

  1. Log in to your IdP as an admin.

  2. Copy the following data.

    • IdP entity ID

    • Single Sign On URL

    • Single Logout URL

    • Identity provider signing certificate

  3. Go to the SWS portal, and upload the IdP SSO app metadata using a URL or XML file, or manually enter the details.

    When you upload the metadata, the details in the manual section are automatically populated. These details are read-only, unless you select the manual radio button.

  4. Click Next.

Step 4: Update IdP SSO app with details from SWS

In this step, you need to copy the values from the SWS portal, and then paste them into your IdP SSO application settings.

In the wizard, you can refer to the diagram and highlighted areas for indication where to paste the details in your IdP settings. (Relevant for Okta and Microsoft Azure).

  1. Log in to Okta as an admin.

  2. Go to Applications, and select an application.

  3. Select the General tab and click Edit in the SAML Settings section. Click Next to navigate to step 2 Configure SAML.

  4. Copy the following values from the SWS wizard, and paste them in Okta.

    Value

    Description

    Single sign on URL

    Audience URI (SP Entity ID)

    Signature certificate

    Click Show Advanced Settings to show the Signature Certificate field.

    Single Logout URL

    Make sure the Allow application to initiate Single Logout check box is selected to show this value.

    Attributes and claims

    Scroll down the page to the Attribute Statements section.

    Add the UseCyberarkSws claim with Value = Yes.

    The UseCyberarkSws claim is the primary claim that must be applied in order that SWS protections are applied to users of this application, After you copy the claim, make sure its applied to your app users. User login requests to this application will be routed through SWS protections, and applied and validated, only for the users that have this custom attribute.

    For information about applying claims to specific users and groups, see Enable SWS protections for specific groups in IdP.

  5. Go the SWS portal. Select the check box to confirm IdP application details were updated.

  6. Click Next

  1. Log in to Microsoft Azure as an admin.

  2. Go to the Enterprise applications service and select an SSO application.

  3. Open the Set up single sign tile.

  4. Copy the following values from the SWS wizard, and paste them in Azure.

    Value

    Description

    Identifier (Entity ID)

     

    Reply URL (Assertion consumer service URL)

    Logout URL

    Attributes & Claims

    Add the UseCyberarkSws claim with Value = Yes.

    The UseCyberarkSws claim is the primary claim that must be applied in order that SWS protections are applied to users of this application, After you copy the claim, make sure its applied to your app users. User login requests to this application will be routed through SWS protections, and applied and validated, only for the users that have this custom attribute.

    For information about applying claims to specific users and groups, see Enable SWS protections for specific groups in IdP.

  5. Go the SWS portal. Select the check box to confirm IdP application details were updated.

  6. Click Next

  1. Log in to your IdP as an admin.

  2. Paste the following SWS values into your IdP SSO application settings.

    • SAML Issuer ID

    • Single Sign On URL

    • SAML Single Logout

    • Signature certificate

    • Attributes & Claims - Add the UseCyberarkSws claim with Value = Yes.

      The UseCyberarkSws claim is the primary claim that must be applied in order that SWS protections are applied to users of this application, After you copy the claim, make sure its applied to your app users. User login requests to this application will be routed through SWS protections, and applied and validated, only for the users that have this custom attribute.

      For information about applying claims to specific users and groups, see Enable SWS protections for specific groups in IdP.

  3. Go the SWS portal. Select the check box to confirm IdP application details were updated.

  4. Click Next.

Step 5: Update target app with details from SWS

In this step you need to copy the SWS details and paste them into your target application settings (Service Provider). The specific values and configuration field names might vary for each application.

  1. Click Copy to clipboard to copy each of the details into your application settings.

    The following values need to be updated in the target app:

    • Entity ID / Issuer / Audience

    • Single sign on URL

    • Single logout URL

    • IdP signing certificate from SWS

  2. From the SWS portal, select the check box to confirm target application details were updated.

  3. Click Finish.

When all the steps are validated, all user login requests to this application are routed through Secure Web Sessions.

By default, only the Step Recording security layer is activated. To change the default, or add security layers for this app, see Edit security layers per application.

Create security policies for SAML claims

Enable SWS protections for specific groups in IdP

Error messages for SWS protected applications from your IdP