Set up SCIM for Privilege Cloud

This topic describes how to set up the CyberArk Identity SCIM server for Privilege Cloud. SCIM is the System for Cross-domain Identity Management, an open standard that simplifies cloud identity management and automates user provisioning across multiple domains.

Integration workflow

Click the image to increase the image size.

Step 1: Prepare for SCIM integration

  • If you intend to create users in Privilege Cloud (as opposed to creating users in the IGA), run the LDAP integration as described in LDAP integration.

Step 2: Configure CyberArk Identity

CyberArk Identity is the SCIM server, functioning as middleware in the Privilege Cloud -IGA integration. It communicates with the IGA (SCIM client) using the SCIM protocol and relays information to Privilege Cloud using Privilege Cloud REST APIs.

You must integrate CyberArk Identity with both Privilege Cloud and your IGA platform.

  1. Configure the SCIM server. For details, see SCIM server configuration.

    When you add and configure the OAuth2 Client application, make sure to use the Login Name identity-privilege-integration-user$.

  2. Configure the Vault settings in CyberArk Identity. For details, see Manage privileged objects in Privilege Cloud.

    While performing this procedure, save the tenant URL you provided for the Vault configuration. You will need it to run the script described in the following step.

Step 3: Configure Privilege Cloud

To complete the integration with Privilege Cloud, run the Configure SCIM in Privilege Cloud that you downloaded in Prepare for SCIM integration.

To configure Privilege Cloud:

  1. In PowerShell, run the following command:

     
    .\SCIMConfiguration.ps1 -portalUrl [Privilege Cloud Portal URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] - cyberArkIdentityClientId [CyberArk Identity Client ID]
    Command parameters

    Parameter

    Description

    portalUrl

    The URL to your Privilege Cloud Portal.

    Format:  

    https://<your subdomain>.privilegecloud.cyberark.com/PasswordVault

    cyberArkIdentityMetadataUrl

    CyberArk Identity OpenID Connect Metadata URL.

    Format:

    https://<your_tenant_url>/__idaptive_cybr_user_oidc/.well-known/openid-configuration

    You saved this parameter while configuring CyberArk Identity, as described in Set up SCIM for Privilege Cloud.

    cyberArkIdentityClientId

    CyberArk Identity's OpenID Connect Client ID (hard-coded)

  2. When prompted, enter your Privilege Cloud admin credentials.

Step 4: Configure the IGA platform

Configure your IGA platform for the integration according to the specific platform instructions.

IGA platform configuration

IGA platform

Instructions

Sailpoint IdentityNow

Integrating Sailpoint with CyberArkPrivilege Cloud

Sailpoint IdentityIQ Privileged Account Management