CyberArk Endpoint Privilege Manager SAML Single Sign-On (SSO)


CyberArk Endpoint Privilege Manager (EPM) helps to remove the barriers to enforcing least privilege and allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privilege security, application control and credential theft prevention reduces the risk of malware infection.

SP-initiated SSO for CyberArk EPM is automatically enabled when the SAML feature is activated.

If CyberArk EPM is the first application you are configuring for SSO through CyberArk Identity, read these topics before you get started:

CyberArk EPM requirements

Before you configure the CyberArk EPM web application for SSO, you need the following:

  • An active CyberArk EPM account with administrator access.

  • An additional user with administrator access enabled for SSO.

    This is necessary because making the account owner an SSO user creates the risk of account lockout if there is an SSO failure. Specifying a different user as the SSO user ensures that you can always log in as the account owner, as long as you have the password.

    If you set Lock EPM login URL for users and redirect to IDP authentication to All Users, even the additional admin could be locked out. CyberArk recommends selecting All users, beside account admin or None.
  • A signed certificate.

    You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

Configure CyberArk EPM for single sign-on

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the Identity Administration portal, see Configure optional application settings.

  1. Download the signing certificate and convert it from the CER format to the DER format.

    1. In the Identity Provider Configuration area of the Trust page, expand the certificate area and select the certificate that you want to use for the application, then click Download.

    2. Open the certificate file on a Windows machine, then go to the Details tab and click Copy to File....

      The Certificate Export Wizard opens.

    3. Select DER encoded binary X.509 (.CER), then click Next.
    4. Enter a filename for the converted certificate, then click Next.
    5. Click Finish to complete the export.

      If you need to convert the certificate file from a Mac, use the following command in a terminal window.

      openssl x509 -in <certificatename>.cer -outform DER -out <certificatename>.cer
  2. Open a new tab in your web browser.

    It is helpful to open the CyberArk EPM web application and the Identity Administration portal simultaneously to copy and paste settings between the two browser windows.
  3. Log in to the CyberArk EPM console as an account administrator.

  4. In the CyberArk EPM console, go to Administration > SAML Integration, then scroll to the IDP Server Configuration section.

  5. In the Identity Administration portal, copy the following values from the manual Identity Provider configuration section of the Trust page and paste them in the corresponding fields in the CyberArk EPM management console.

    • IDP Issuer URL

    • IDP Single Sign On URL
    • IDP Single Logout URL

  6. Upload the DER format version of the tenant signing certificate to the EPM management console.
  7. In the EPM management console, scroll to EPM Login Configuration and enter the following values.

    Value Description
    Organization Identifier

    A string that uniquely identifies your account. This string is added to the EPM service provider Entity ID and turns it into a unique EPM login URL for your organization. The recommended value is your organization's shortened name or abbreviation.

    This value is case-sensitive.

    EPM Login URL This value is generated using the Organization Identifier you entered. This is your SP-initiated SSO URL.
  8. Specify an option for Lock EPM login URL for users and redirect to IDP authentication.

    If you set Lock EPM login URL for users and redirect to IDP authentication to All Users, even the additional admin could be locked out. CyberArk recommends selecting All users, beside account admin or None.
  9. For EPM Logout URL, choose a URL that you want users to be redirected to after they log out from CyberArk EPM.

    You may use the IdP Single Logout URL here if you want EPM users to be redirected to CyberArk Identity after logout.

  10. Click Save, located at the top right corner.

    If this is your first time configuring SAML in CyberArk EPM, some sections now have contents generated.

  11. Go to the EPM Service Provider section, then click Download Configuration XML.

  12. In the Identity Administration portal, go to the metadata Service Provider Configuration section and upload the configuration xml file.

  13. Deploy the application by setting permissions on the application.

    1. On the Permissions page, click Add.

    2. Select the user(s), group(s), or role(s) that you want to grant permissions to, then click Add.

      The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.

    3. Select the permissions you want and click Save.

      Default permissions automatically deploy the application to the User Portal if the Show in user app list option is selected on the Settings page. Do not select this option if you intend to use only SP-initiated SSO.

      Change the permissions if you want to add additional control or if you prefer not to automatically deploy the application.

  14. Click Save in both the Identity Administration portal and CyberArk EPM's SSO Configuration screen.

CyberArk EPM specifications

Each SAML application is different. The following table lists features and functionality specific to CyberArk EPM.



Support details

SP-initiated SSO



IdP-initiated SSO



Force user login via SSO only

Yes - Optional

The EPM management console has an option to enforce SSO for all users, all users except the account admin, or no users.

Separate administrator login
after SSO is enabled



User or Administrator lockout risk

Yes - Situational

There is a lockout risk if you configure the EPA management console to enforce SSO for all users.

Just-In-Time provisioning



Multiple User Types


Available users types are:

  • Account Admin (can be excluded from SSO)
  • non-admin users

Self-service password