Use Cases

Integrating CyberArk with Ping products for SSO and authentication

This guide provides information for configuring a SAML connection to the CyberArk solution from the PingFederate or PingOne for Enterprise single sign-on (SSO) solutions while leveraging PingID for multi-factor authentication (MFA).

MFA is strongly advised and is the best practice for all authentication to the CyberArk Privileged Vault. For more information, see Product integration and overview.

Components

  • PingFederate 10.0

  • PingOne for Enterprise

  • PingID

Integrating CyberArk with PingOne for Enterprise

You can integrate CyberArk with PingOne for Enterprise using a SAML connection for CyberArk PVWA or an authentication policy for PingID MFA using CyberArk PVWA.

Click the tab for the configuration that you want to see.

Integrating CyberArk with PingFederate

You can integrate CyberArk with PingFederate using a SAML connection for CyberArk PVWA or an authentication policy for PingID MFA using CyberArk PVWA.

Click the tab for the configuration that you want to see.

Configuring SAML for CyberArk PVWA

Configure a SAML configuration for PingFederate or PingOne for Enterprise to provide single sign-on (SSO) to CyberArk.

Steps

  1. Go to Administration → Options.

  2. Expand Authentication Methods, and then select saml.

  3. In the Properties pane, enter a name in the DisplayName field to be displayed in the PVWA sign-on page.

  4. In the Enabled field, enter Yes.

    Choose a name that clearly identifies Ping Identity.

    A screen capture of CyberArkSAML authentication method configuration highlighting the DisplayName and Enabled fields.

  5. Go to Administration → Options

  6. In the Options pane, select Access Restriction.

  7. Right-click Access Restriction, and in the context menu, select Add Allowed Referrer.

  8. In the Properties pane, in the BaseUrl field, enter the URL of your Ping Identity tenant host.

  9. In the Regular Expression field, enter No. Click Apply.

    A screen capture of CyberArk access restrictions settings

    Your changes are saved when the Your changes have been saved successfully modal appears.

  10. Open the PVWA web.config file and in the <appSettings> section, add the following key and value pairs:

    • addkey="IdentityProviderLoginURL" value="your identity provider login URL"

    • addkey="IdentityProviderCertificate" value="your certificate"

      Get an ASCII export of the certificate and remove all CR’s to make the entry a single line.

    • addkey="Issuer" value="PasswordVault"

      PasswordVault is the default value.

      A screen capture of the PVWA web.config file edited for CyberArk saml configuration.

  11. Save the file and restart IIS.

Product integration and overview

Product integration description and diagramA diagram of CyberArk and PingIdentity Product' Integration

  1. The user initiates an identity provider (IdP) URL to access CyberArk. The IdP solution (PingOne for Enterprise or PingFederate) validates the user through the configured authentication flow.

    (Not shown) Alternatively, the user could attempt to access CyberArk directly. CyberArk would redirect the user to step 1 with a SAML request to validate the user.

  2. PingFederate or PingOne for Enterprise invokes the PingID MFA process.

  3. After the MFA process is completed, the IdP solution redirects the user’s browser to CyberArk with a SAML assertion.

  4. (Not shown) CyberArk validates the SAML assertion and grants access.

PingFederate overview

PingFederate enables:

  • Outbound and inbound solutions for SSO

  • Federated identity management

  • Customer identity and access management (CIAM)

  • Mobile identity security

  • API security

  • Social identity integration

Browser-based SSO extends employee, customer, and partner identities across domains without passwords, using only standard identity protocols, such as SAML, WS-Fed, WS-Trust, OAuth and OpenID Connect, and SCIM. For more information, see PingFederate Getting Started Guide.

PingOne for Enterprise Overview

PingOne for Enterprise is a cloud-based identity as a service (IDaaS) framework for secure identity access management. Use PingOne for Enterprise to give members of your organization secure SSO to cloud applications. For more information, see PingOne for Enterprise overview.

PingID Overview

PingID is a cloud-based authentication service that binds user identities to devices. During the PingID authentication process, the PingID service sends an authentication request to the user’s device, requiring no password response: the user just swipes to authenticate. For more information, see PingID overview.