Shared logon authentication

Shared authentication is based on a user credential file that is stored in the PVWA web server. During shared authentication, only the user defined in the credential file can log on to the PVWA, but multiple users can use the logon token.

This type of authentication requires the application using the REST services to manage the users as the Vault can't identify which specific user performs each action.

Multiple concurrent connections can be created using the same token, without affecting each other.

The shared user is defined in a user credential file, whose location is specified in the WSCredentialFile parameter, in the appsettings section of the PVWAweb.config file:

<add key="WSCredentialFile" value="C:\CyberArk\Password Vault Web Access\CredFiles\WSUser.ini"/>
  • Make sure that this user can access the PVWA interface.
  • Make sure the user only has the permissions in the Vault that they require.

Securing application-to-REST communication

We recommend securing the connections between the requesting application and the REST Web Services when using Shared Logon Authentication, using Client Authentication.

In addition to SSL, use Client Authentication to authenticate the requesting application using a client certificate.

Configuring client authentication using client certificates

This procedure enables client-side authentication of the requesting application for REST Web Services, using a client certificate.

To configure client authentication using client certificates: