Integrate Remote Access with Shared Services
This topic describes how to integrate your Remote Access tenant with CyberArk's Identity Security Platform Shared Services.
To integrate Remote Access with Shared Services, your Remote Access tenant needs to be integrated with your CyberArk Identity tenant on Shared Services.
Before you begin
The following procedures assume you have permissions to CyberArk Identity Administration.
After the Remote Access tenant is created, the following users and roles are added in CyberArk Identity Administration to support the integration with Remote Access:
CyberArk Identity Users and Roles
CyberArk Remote Access Admin Users
The following Role is added to CyberArk Identity Administration > Roles:
Remote Access uses the alero-integration-user@<mysuffix> credentials to integrate with CyberArk Identity and to call CyberArk Identity APIs.
Verify the suffix, and set a password for the Remote Access service user:
In CyberArk Identity Administration, go to Core Services > Users > Sets and select All Service Users to filter the user list, and search for alero-integration-user$@<mySuffix>. Select Action > Reload rights > Set user password.
Do not delete this user. Deleting it breaks the integration with Remote Access.
For more information, see Mobile app.
When you receive the activation message, open the activation link on your computer and then click Agree and generate QR to open the Remote Access portal and display a QR code.
Using the CyberArk Mobile app, scan the QR code displayed on your computer screen to activate your Remote Access tenant.
Click Sign-in and scan the QR code to sign in to the Remote Access portal.
Log in to Identity Administration to find the following values, then copy them into the Identity SSO integration settings in Remote Access:
Remote Access field
CyberArk Identity Administration setting
CyberArk Identity URL
Enter the URL of the CyberArk Identity tenant. For example, aaa1234.id.cyberark.cloud.
The URL can be found in the CyberArk Identity Admin Portal. Go to Settings > Customizations > Tenant URLs.
You must use the CyberArk Identity URL with the tenant ID. Custom domains are not supported.
To find the CyberArk Identity tenant ID, click the user icon in the top right-hand corner, then click About,
Identity username suffix
The login name and suffix for the integration service user in CyberArk Identity Administration.
Select Core Services > Users > Sets and select All Service Users to filter the user list and search for alero-integration-user$@<mySuffix>. Enter the name and the suffix in the Remote Access portal.
For more information about the login suffix, see Manage login suffixes.
The password you set for the alero-integration-user$@<mySuffix> user in CyberArk Identity Administration.
When you link your Remote Access and CyberArk Identity tenants, some of your data is shared between the tenants. If you have previously selected a different data center for the two tenants, this results in data being transferred from one region to another.
Click Proceed to continue.
When the tenant is connected successfully, the following details appear below the settings.
The name of the company whose Remote Access system has been integrated with CyberArk Identity.
The URL of the tenant in CyberArk Identity.
The data center where this tenant was created.
Whether or not all Remote Access is synchronized with CyberArk Identity.
Remote Access automatically synchronizes with CyberArk Identity Administration, without any human intervention. If required, you can initiate a manual synchronization.
Set the following:
You can enforce user login only via CyberArk Identity SSO. When disabled, users can login via CyberArk Identity SSO or using a QR scan.
When enabled, allows you to set a time interval for when users need to re-authenticate their user credentials . Default is set to every 30 days.
Vendor access to CyberArk Identity web applications
When activated, allows access for Vendors to web application protected by CyberArk Identity SSO and Secure Web Session.
To invite Vendors to access CyberArk Identity applications, go to the Vendors invitation form.
The default role applied to invited Vendors. For more information, see Change vendor license consumption.
Click Authenticate to Identity.