Activate Secure Web Sessions

This topic describes how to integrate CyberArk Identity with Secure Web Sessions (SWS), and to enable SWS protections for CyberArk Identity applications.

Before you begin

Secure Web Sessions entitlement is enabled

The following procedures assume you have all the proper entitlements enabled for CyberArk Identity and SWS. For information on entitlements required to enable this feature, contact your CyberArk Account Representative.

After the Secure Web Sessions entitlement is enabled in your CyberArk Identity tenant, you'll see the following changes in the CyberArk Identity Admin Portal. These changes support the CyberArk Identity integration with SWS.

CyberArk Identity Admin Portal Change	Description
New SAML Web App added to the App Catalog: CyberArk Secure Web Sessions Portal	This SAML web app provides administrator access to the Secure Web Sessions Portal through the portal switcher. The CyberArkSecure Web Sessions Portal application is automatically deployed to the following roles and does not require any action from you: SWS Admin SWS Auditor
New roles: SWS Admin SWS Auditor	The following roles are added to CyberArk Identity Admin Portal > Roles: SWS Admin The read-only role that allows access to the CyberArk Remote Access Admin Portal. Members of this role are managed directly in CyberArk Remote Access and synched to enable single sign on access to CyberArk Remote Access Admin Portal. Users in this role can enable Secure Web Sessions for applications and can switch between the CyberArk Identity Admin Portal and the Secure Web Sessions Portal. SWS Auditor The read-only role that allows access to the CyberArk Remote Access Admin Portal. Members of this role are managed directly in CyberArk Remote Access and synched to enable single sign on access to CyberArk Remote Access Admin Portal. Users in the SWS Auditor role can access session data in SWS.
New user: sws-integration-user$@<mysuffix>	Secure Web Sessions uses the sws-integration-user@<mysuffix> credentials to integrate with CyberArk Identity and to call CyberArk Identity APIs. Note: Do not delete this user. Deleting it breaks the integration with SWS.

CyberArk Identity Admin Portal Change

Description

New SAML Web App added to the App Catalog:

CyberArk Secure Web Sessions Portal

This SAML web app provides administrator access to the Secure Web Sessions Portal through the portal switcher. The CyberArkSecure Web Sessions Portal application is automatically deployed to the following roles and does not require any action from you:

SWS Admin
SWS Auditor

New roles:

SWS Admin

SWS Auditor

The following roles are added to CyberArk Identity Admin Portal > Roles:

SWS Admin

The read-only role that allows access to the CyberArk Remote Access Admin Portal. Members of this role are managed directly in CyberArk Remote Access and synched to enable single sign on access to CyberArk Remote Access Admin Portal.

Users in this role can enable Secure Web Sessions for applications and can switch between the CyberArk Identity Admin Portal and the Secure Web Sessions Portal.
SWS Auditor

The read-only role that allows access to the CyberArk Remote Access Admin Portal. Members of this role are managed directly in CyberArk Remote Access and synched to enable single sign on access to CyberArk Remote Access Admin Portal.

Users in the SWS Auditor role can access session data in SWS.

New user:
sws-integration-user$@<mysuffix>

Secure Web Sessions uses the sws-integration-user@<mysuffix> credentials to integrate with CyberArk Identity and to call CyberArk Identity APIs.

Note: Do not delete this user. Deleting it breaks the integration with SWS.

Configure CyberArk Identity and Secure Web Sessions integration

This section describes how to configure initial settings in CyberArk Identity to integrate with CyberArk Secure Web Sessions. To perform the following steps, you must be a user in the CyberArk Identity System Administrator role.

Step 1: Set a password for the SWS integration service user in the CyberArk Identity Admin Portal

In the CyberArk Identity Admin Portal, go to Core Services > Users > Sets and select All Service Users to filter the user list.
Right-click sws-integration-user$@<mySuffix>, then click Set Password and configure a password.

The Secure Web Sessions portal requires this password during integration set up.

Step 2: Activate the SWS tenant, and configure CyberArk Identity settings in the SWS portal

When you receive the SWS activation message in your welcome email, click the activation link on your computer, then click Agree and generate QR code.
Using the CyberArk Mobile app, scan the QR code displayed on your computer screen, and click Sign in.
Scan the QR code to sign in to the Secure Web Sessions portal.

Configure the following fields in the Secure Web Sessions portal using settings from the CyberArk Identity Admin portal:

SWS portal field	Setting from the CyberArk Identity Admin portal
CyberArk Identity URL	The URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud. To find the URL, go to Settings > Customizations > Tenant URLs. You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported. To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,
Identity service user login name and Suffix	The login name and suffix for the integration service user in the CyberArk Identity Admin portal. Select Core Services > Users > Sets and select All Service Users to filter the user list and then search for sws-integration-user$@<mySuffix>. Enter the name and the suffix in the SWS portal. For more information about the login suffix, see Manage login suffixes.
Secret	The password you set previously for the sws-integration-user$@<mySuffix> user in the CyberArk Identity Admin portal.

SWS portal field

Setting from the CyberArk Identity Admin portal

CyberArk Identity URL

The URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud.

To find the URL, go to Settings > Customizations > Tenant URLs.

You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported.

To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,

Identity service user login name and Suffix

The login name and suffix for the integration service user in the CyberArk Identity Admin portal.

Select Core Services > Users > Sets and select All Service Users to filter the user list and then search for sws-integration-user$@<mySuffix>. Enter the name and the suffix in the SWS portal.

For more information about the login suffix, see Manage login suffixes.

Secret

The password you set previously for the sws-integration-user$@<mySuffix> user in the CyberArk Identity Admin portal.

Click Apply.
Click Authenticate to CyberArk Identity.

Configure SWS policy for CyberArk Identity SSO apps

After you set up CyberArk Identity and integrate it with SWS, you can enable SWS for individual applications in CyberArk Identity Admin Portal > Web Apps.

The SWS security layers can work with any application type created in CyberArk Identity and can be enforced for any application where CyberArk Identity SSO is the IdP.

This section describes how to activate SWS protections for CyberArk Identity SSO applications only.

To configure SWS protections for applications using other IdPs, such as Okta and Microsoft Azure, see Configure SWS policy for third-party IdP apps

In CyberArk Identity Admin Portal > Web Apps, select the application where you want to enable SWS.

To add new web applications from the CyberArk Identity App catalog, see Add CyberArk Identity Web Apps.
Click the Secure Web Sessions page, select Enable Secure Web Sessions, and then click OK at the confirmation message.
Click Save.

It can take up to 15 minutes to sync the application with SWS. If you want to begin configuring SWS policies right away, you can go to the SWS Admin portal and click the Sync button on the Application policies page.

Refer to Manage application policies for details about managing policies.

After you enable SWS for an application, CyberArk Identity displays the SWS icon in the User Portal application tile. SWS-enabled applications are also visible in the Secure Web Sessions portal.

Apps that have Secure Web Sessions enabled are not available from the CyberArk Identity mobile app. Secure Web Sessions uses a browser extension that cannot be used on mobile devices.