Activate Secure Web Sessions
This topic describes how to integrate CyberArk Identity with Secure Web Sessions (SWS), and to enable SWS protections for CyberArk Identity applications.
Before you begin
The following procedures assume you have all the proper entitlements enabled for CyberArk Identity and SWS. For information on entitlements required to enable this feature, contact your CyberArk Account Representative.
After the Secure Web Sessions entitlement is enabled in your CyberArk Identity tenant, you'll see the following changes in the CyberArk Identity Admin Portal. These changes support the CyberArk Identity integration with SWS.
CyberArk Identity Admin Portal Change
|New SAML Web App added to the App Catalog:
CyberArk Secure Web Sessions Portal
This SAML web app provides administrator access to the Secure Web Sessions Portal through the portal switcher. The CyberArkSecure Web Sessions Portal application is automatically deployed to the following roles and does not require any action from you:
The following roles are added to CyberArk Identity Admin Portal > Roles:
Secure Web Sessions uses the sws-integration-user@<mysuffix> credentials to integrate with CyberArk Identity and to call CyberArk Identity APIs.
Note: Do not delete this user. Deleting it breaks the integration with SWS.
For more information, see Download the CyberArk Mobile app.
Configure CyberArk Identity and Secure Web Sessions integration
This section describes how to configure initial settings in CyberArk Identity to integrate with CyberArk Secure Web Sessions. To perform the following steps, you must be a user in the CyberArk Identity System Administrator role.
Step 1: Set a password for the SWS integration service user in the CyberArk Identity Admin Portal
In the CyberArk Identity Admin Portal, go to Core Services > Users > Sets and select All Service Users to filter the user list.
Right-click sws-integration-user$@<mySuffix>, then click Set Password and configure a password.
The Secure Web Sessions portal requires this password during integration set up.
When you receive the SWS activation message in your welcome email, click the activation link on your computer, then click Agree and generate QR code.
Using the CyberArk Mobile app, scan the QR code displayed on your computer screen, and click Sign in.
Scan the QR code to sign in to the Secure Web Sessions portal.
Configure the following fields in the Secure Web Sessions portal using settings from the CyberArk Identity Admin portal:
SWS portal field
Setting from the CyberArk Identity Admin portal
CyberArk Identity URL
The URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud.
To find the URL, go to Settings > Customizations > Tenant URLs.
You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported.
To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,
Identity service user login name and Suffix
The login name and suffix for the integration service user in the CyberArk Identity Admin portal.
Select Core Services > Users > Sets and select All Service Users to filter the user list and then search for sws-integration-user$@<mySuffix>. Enter the name and the suffix in the SWS portal.
For more information about the login suffix, see Manage login suffixes.
The password you set previously for the sws-integration-user$@<mySuffix> user in the CyberArk Identity Admin portal.
Click Authenticate to CyberArk Identity.
The SWS security layers can work with any application type created in CyberArk Identity and can be enforced for any application where CyberArk Identity SSO is the IdP.
This section describes how to activate SWS protections for CyberArk Identity SSO applications only.
To configure SWS protections for applications using other IdPs, such as Okta and Microsoft Azure, see Configure SWS policy for third-party IdP apps
In CyberArk Identity Admin Portal > Web Apps, select the application where you want to enable SWS.
To add new web applications from the CyberArk Identity App catalog, see Add CyberArk Identity Web Apps.
Click the Secure Web Sessions page, select Enable Secure Web Sessions, and then click OK at the confirmation message.
It can take up to 15 minutes to sync the application with SWS. If you want to begin configuring SWS policies right away, you can go to the SWS Admin portal and click the Sync button on the Application policies page.
Refer to Manage application policies for details about managing policies.
After you enable SWS for an application, CyberArk Identity displays the SWS icon in the User Portal application tile. SWS-enabled applications are also visible in the Secure Web Sessions portal.
Apps that have Secure Web Sessions enabled are not available from the CyberArk Identity mobile app. Secure Web Sessions uses a browser extension that cannot be used on mobile devices.