Configure SAML authentication

This topic describes how to configure SAML authentication in Privilege Cloud and in your IdP.


SAML authentication enables you to implement an Identity Provider (IdP) solution and benefit from an SSO workflow across multiple domains.

After you configure SAML authentication, all users can use this authentication method. Whether they have been provisioned using LDAP integration or were created manually as CyberArk users.

Privilege Cloud supports SAML version 2.0.

To configure SAML authentication you will need the assistance of CyberArk support.

Before you begin

To use SAML authentication in Privilege Cloud, users must first be defined in Privilege Cloud. You can do this in the following ways:

Provide information to CyberArk support

CyberArk support requires the following information for configuring SAML authentication.

  • The IdP metadata.xml file and the Audience value as defined in the IdP (see Audience).

  • or, if not available, the following fields are mandatory:



BaseURL The URL of your IdP.
IdentityProviderLoginURL The login URL of your IdP.

The base 64 text representation of the certificate that is configured for your IdP as the SAML response signing certificate.

This is used to verify the authenticity of the responses.


The value defined in the IdP. For details, see Audience.

PartnerIdentityProvider Name

The IdP identifier that enables the Privilege Cloud Portal to identify the IdP. Also known as the EntityID of the IdP.

Configure the IdP

Follow the instructions in the following table:


Privilege Cloud supports only one assertion.

Make sure only one assertion is configured in your IdP.

Assertion Consuming URL

https://<Privilege Cloud Portal DNS or IP>/PasswordVault/api/auth/saml/logon

Note: Assertion Encryption is not supported.

SAML Identity Location

Make sure that your IdP specifies Identity in the NameIdentifier element of the Subject statement.

The user name is located in the <Subject> statement of the assertion.

Secure hash algorithm

Use one of the following hash algorithms: 

  • SHA256 (recommended)
  • SHA1

This algorithm is used to sign the responses.xml.

Non-signed requests

Make sure that the IdP is set to accept non-signed requests.

User name

Configure the IdP to return the user name inside the NameID tag.

Privilege Cloud supports the unspecified NameID format.


The value used by the IdP to identify the Privilege Cloud Portal as a relying party.