Integrate Workforce Password Management with Privileged Access Manager - Self-Hosted

This topic describes how to integrate your CyberArk Identity tenant with your Privileged Access Manager - Self-HostedVault so you can store Secured Items (non-web app secrets) and business-related application credentials in the self-hosted Vault.

This integration provides the following benefits:

  • Gives you the flexibility to retain secrets and user credentials in your  PAM - Self-Hosted Vault.

  • Leverages the existing user-friendly capabilities of auto-capture and credential form-fill when launching applications from the CyberArk Browser Extension, Identity User Portal,  and the CyberArk Identity mobile app. Users can remotely access these credentials without connecting to a corporate VPN or installing other agents.

CyberArk Workforce Password Management only manages credentials for non-privileged user accounts (business users) stored in the CyberArk PAM - Self-Hosted Vault. Asymmetric RSA 2048 encryption is used end-to-end for credentials in transit between the user's browser and the CyberArk PAM - Self-Hosted Vault. CyberArk Identity Cloud cannot decrypt business user credentials in transit when they are stored and fetched from the Vault. Only end users can view their business credentials stored in the CyberArk PAM - Self-Hosted Vault.

Contact CyberArk Support or your Account Executive to enable end-to-end encryption for Secure Items.

CyberArk Workforce Password Management does not have rights to read or manage the highly sensitive user credentials of privileged users that are also stored in the CyberArkPAM - Self-HostedVault.

Additional licenses are required to enable the Workforce Password Management capability to store secrets and user credentials in PAM - Self-Hosted. Contact your CyberArk Account Representative for more information.

The CyberArk OIDC Trust app that was used for this integration in previous releases has been deprecated. Do not attempt to use it. It will be removed from the Identity Administration portal in a future release.

Before you begin

Collect the following information:

  • PVWA (Password Vault Web Access) component in PAM - Self-Hosted updated to version 12.1 or later.

  • PVWA URL for the PAM - Self-Hosted instance where you intend to store business user credentials.

  • The following minimum CyberArk Identity Connector versions.

    CyberArk Identity Connector versions
    Version Purpose

    21.6

    Required with the API Proxy Service enabled to allow CyberArk Identity to invoke the corresponding PVWA REST APIs through the secure, VPN-less tunnel.

    22.1

    Required for end-to-end encryption.

    22.3 Required to store non-web app secrets (Secured Items).

    See Install the CyberArk Identity Connector for more information.

    We recommend updating to the latest version of the connector to benefit from new features as they are introduced.

Configure CyberArk Identity

Step 1: Configure CyberArk Identity

  1. In the Identity Administration portal, go to Settings > Integration > Vault Configuration.

  2. Enter the following values:

    Required values

    Name

    Value

    PVWA URL

    PVWA URL for the PAM - Self-Hosted instance where you intend to store business user credentials.

    Service User for Workforce Password Management

    shared-credentials-service-user$ or service user that you have defined.

  3. Select a CyberArk Identity Connector to use with this service. Choose either Any available connector or a specific connector from the list.
  4. Click Save.

Configure PAM - Self-Hosted

To complete the integration you need to perform the following configuration steps for PAM - Self-Hosted.

Step 1: Download and run the CyberArk Identity and PAS integration configuration script.

  1. Download the CyberArk Identity and PAM - Self-Hosted integration configuration script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

    .\IdentityConfiguration.ps1 -portalUrl [PVWA URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] -cyberArkIdentityClientId [CyberArk Identity Client ID]

    The following table describes the parameters.

    Parameter

    Description

    portalUrl

    The URL for your PVWA instance.

    The format is:

    https://<your-subdomain>/PasswordVault

    cyberArkIdentityMetadataUrl

    CyberArk Identity OpenID Connect Metadata URL.

    The URL is set to:

    https://<identity-subdomain>/__idaptive_cybr_user_oidc/.well-known/openid-configuration

    CyberArkIdentityClientId

    CyberArk Identity OpenID Connect Client ID.

    This parameter is set to:

    __idaptive_cybr_user_oidc

  3. When prompted, enter your PAM - Self-Hosted admin credentials.

Step 2: Create a service user.

The service user manages a PVWA Vault on behalf of CyberArk Identity tenant. Instead of each user having their own Vault, a service user manages a Vault on behalf of all uses in your CyberArk Identity tenant. This greatly increases the number of credentials that you can store in the PVWA Vault.

  1. Download the script to create a service user from the CyberArk Marketplace.

  2. In PowerShell, run the following command.

    .\CreateWPMServiceUser.ps1 -pvwaUrl [PVWA URL]

    The following table describes the parameters.

    Parameter

    Description

    pvwaUrl

    The URL for your PVWA instance.

    For example: https://[put-your-subdomain-here]/PasswordVault

    The script creates the service user with the following Vault privileges.

    • Add Safes

    • Audit Users

    • Add/Update Users

    • Reset Users' Passwords

    • Activate Users

    By default, this service user becomes the owner of the following Safes.

    Each Safe can hold 20,000 accounts (app credentials or Secured Items). You can have up to 20,000 Safes.
    • the Safe named <tenant ID>, where <tenant ID> is your CyberArk Identity tenant ID (to store the admin added app creds)

    • the Safe named Identity_0000x , where x is incremented each time a new Safe is required (user-added credentials or Secured Items)

Step 3: Import the CyberArk WPM platform package into PAM - Self-Hosted.

The platform package for CyberArk WPM is required to store your users' business application credentials in the Privileged Access Manager - Self-Hosted self-hosted vault.

See Manage platforms v10 interface for more information about platforms.

  1. Download the platform package from the CyberArk Marketplace.

  2. Import the platform package into the PVWA. For details, see Import a Platform Package.

Migration scenarios for existing user-added application credentials

CyberArk Identity supports the following two migration scenarios for user-added application credentials.

Migrating credentials for applications that you deployed and shared with the All users share one name option is not supported.

Scenario

Description

Existing CyberArk PAM - Self-Hosted customers with
business user credentials stored in the PAM - Self-Hosted Vault

Existing CyberArk customers who have their user credentials already stored in CyberArk PAM - Self-Hosted, can migrate to this solution without users re-registering their applications. When this solution is configured following the steps listed in previous sections and upon the first user sign in to the Identity User Portal, user accounts stored in the CyberArk PAM - Self-Hosted are automatically migrated and represented as application tiles in the Identity User Portal.

Only accounts that have a value for URL, username, and password (all three attributes) in the PAM - Self-Hosted Vault are considered for auto-migration. Also note that this scenario is limited to migrating the application account stored in the PAM - Self-Hosted Vault to the Identity User Portal. User passwords remain in CyberArk PAM - Self-Hosted and are never copied over to CyberArk Identity.

If a migrated application has a corresponding application in CyberArk Identity App Catalog, then the application is represented correctly, and users can launch and use the application without any additional configuration. If a migrated application does not have a corresponding application in CyberArk Identity App Catalog, then the application is displayed with a generic application icon (see below).

In this case, CyberArk Identity does not auto-fill the credentials when users launch the application even when the application credentials are fetched from the Vault, since it does not have the login page information to auto-fill the username and password fields.

For applications migrated as a generic application, users can view and manually copy the credentials to the target web site to sign-in to the application. The Land & Catch feature (see Enable Land & Catch for your organization) of the CyberArk Identity Browser Extension captures the application login form details and offers the user the option to save the application in the User Portal. When a user saves the application, two tiles for the application are shown in the User Portal, the generic migrated application tile and the application tile captured using Land & Catch. Users can manually delete the generic application tile as needed and use the new application tile to launch the application. See Configure a generic app to auto-fill credentials at launch for details.

Existing CyberArk customers with
business user credentials stored in CyberArk Identity, but would like to move them to the PAM - Self-Hosted Vault

Existing CyberArk customers who have their user credentials stored in CyberArk Identity can migrate them to PAM - Self-Hosted Vault. When this solution is configured following the steps listed in the previous section, and on the first user launch of the Identity User Portal, user credentials are read from CyberArk Identity and automatically migrated to the PAM - Self-Hosted Vault. Passwords are no longer stored in CyberArk Identity and are managed and fetched from the PAM - Self-Hosted Vault.