Federate with Azure Active Directory using SAML

CyberArk supports single sign-on (SSO) from Azure Active Directory (AAD) through SAML. This topic describes how to integrate CyberArk Identity with Azure AD for SSO. CyberArk Identity supports both Identity Provider and Service Provider-initiated SSO.

Add Azure AD as an external IdP

Step 1: Configure settings in CyberArk

  1. Go to Settings > Users > External Identity Providers, then click Add.

  2. Enter a unique name for this configuration.

  3. Go to the Routing Rules tab and add a unique domain name to the Federation Domains table.

    The federated domain is likely your organization's email domain.

    The domain name must match the AAD domain that you are integrating with. For example, if you sign in to Azure AD as user@example.com, then add example.com under Federation Domains. By adding this domain, when users sign in to CyberArk Identity (a SP-initiated flow) it detects the domain suffix of the user and directs to Azure AD (the IdP) for authentication.

Step 2: Configure group mappings in CyberArk

  1. Click Group Mappings, then click Add to create an Azure AD to CyberArk group mapping.

  2. Enter the Azure AD group object ID that you want to map into the Group Attribute Value field.

    To find the Azure group object ID, log in to the Azure portal and navigate to Groups and select the group you want to map. Copy the Object ID string of characters and paste in to the Group Attribute Value text field in CyberArk Identity.

  3. Enter a CyberArk group name in the Group Name text field to create a group object in CyberArk.

    The group name assigns federated users to roles or apps in CyberArk Identity. Each group needs to be a member of at least one role in your CyberArk tenant.

Do not click Inbound Metadata. Skip to Outbound Metadata.

Step 3: Export outbound metadata from CyberArk

  1. Click Outbound Metadata to provide SAML configuration settings for Azure AD.

  2. Click Option 2: Download Service Provide Metadata > Download Metadata.

    Do not click Save.

Step 4: Configure a new enterprise application in the Azure portal

  1. Open a new browser window and log in to Azure portal.

  2. Go to Enterprise Applications > New application > Create your own application.

  3. Enter the application name, select Integrate any other application you don't find in the gallery (Non-gallery), click Create, then assign users and/or groups to this application.

  4. Go to Users > Add users and groups and select the users or groups that will log in to CyberArk Identity.

  5. Go to Single sign-on > SAML > Upload metadata file, select the CyberArk metadata file you downloaded, click Add, then click Save.

    If you are prompted to test the SSO, click No, I'll test later.

  6. Go to Attributes & Claims > Add new claim, then enter UserPrincipalName in the Name text field.

  7. Select user.userprincipalname in Source attribute, then click Save.

  8. (Optional) Add the following:

    Name Source attribute





  9. Click Add a group claim then select the group type for the group you want to map to CyberArk Identity. For example, Security groups.

  10. Expand Advanced options, then select Customize the name of the group claim, type group in the name text field, and click Save.

  11. Go to SAML Certificates and copy the App Federation Metadata URL.

Step 5: Configure inbound metadata in CyberArk

Return to the CyberArkIdentity Administration portal, click Inbound Metadata, then paste the App Federation Metadata URL in the Option 1: Upload IDP configuration from URL text field, and click Save.

Step 6: Configure login hint in CyberArk Identity

This setting automatically enters the username in the Microsoft login page when you perform a SP-initiated log on from CyberArk. You can avoid retyping the username in CyberArk and in the Microsoft sign on with this setting.

  1. Edit the saved configuration External IdP setting for Azure AD and navigate to Inbound Metadata.

  2. Select Option 3: Manual Configuration.

  3. Add /?login_hint=[username] from the end of the Identity Provider Login URL and click Save.

Step 7: Allowing API calls from Azure AD

  1. Go to Settings > Authentication > Security Settings > API Security > Allowed Domain, and click Add.

  2. Enter login.microsoftonline.com, click Add, then click Save.

    If Microsoft Defender for Cloud Apps is enabled, add *.mcas.ms, *.mcas-gov.us, or *.mcas-gov.ms as allowed domains.