Configuring instances of the secret manager plugin for the CyberArk Credential Provider
To give PingFederate access to datastore credentials stored in your CyberArk Credential Provider, configure an instance of the CyberArk Credential Provider secret manager plugin.
Before you begin
Install the CyberArk Credential Provider and integrate it with PingFederate. For more information, see Integrating with the CyberArk Credential Provider.
When configuring instances of the secret manager plugin, you need information about your secret manager’s configuration. You also need information about the contents of your secret manager to generate reference codes for its contents. |
About this task
To configure an instance of the secret manager plugin that provides access to the CyberArk Credential Provider:
Steps
-
In the PingFederate administrative console, go to System → External Systems → Secret Managers.
Result:
The Secret Managers window opens.
-
Click Create New Instance.
Result:
The Create Secret Manager Instance window opens.
-
Configure the Type tab settings:
-
Enter an Instance Name and a unique Instance ID.
-
In the Type menu, select CyberArk Credential Provider.
-
Optional: To make this new secret manager instance the child of an existing instance, select the Parent Instance.
-
-
Configure the Instance Configuration tab according to the settings of your CyberArk Credential Provider:
-
Enter the App ID.
The App ID is the unique ID of the PingFederate application configured in the CyberArk Credential Provider.
-
Enter the Connection Port that the Java SDK will use to connect to the CyberArk Credential Provider.
The default value is 18923.
-
Enter the Connection Timeout in seconds.
This is the maximum timeout when retrieving credentials from the provider. The actual timeout could be less, depending on provider settings. The default is 30 seconds.
-
Optional: If you need a secondary username property, click Show Advanced Fields and enter the name of the CyberArk property in the Username Retrieval Property Name field.
CyberArk has a Username property. If the Username Retrieval Property Name field is empty or has the default value "username", CyberArk returns the value of its Username property.
However, if you need a secondary username property, you can tell PingFederate to interpret another CyberArk property as an additional username property. For example, if you have a Windows domain account configured in CyberArk, you could use its optional user DN property to store secondary username data. To retrieve that data, you would specify "userdn" in the Username Retrieval Property Name field.
-
-
Optional: On the Actions tab, verify that you can generate a valid reference code for a credential stored in the CyberArk Credential Provider:
-
In the Generate section, enter each Parameter Value that PingFederate needs to retrieve a specific secret.
The values depend on the name and location of the secret in the CyberArk Credential Provider. Optionally, you can specify in the reference code that PingFederate will also retrieve the username for the datastore account.
-
Click Generate.
Result:
PingFederate generates and displays the secret’s reference code. The code is composed of obfuscation prefix
OBF:MGR
, the plugin instance’s ID, and the parameters you specify on this tab. -
Copy the reference code.
-
In the Validate section, paste the code into the Secret Reference field.
-
Click Validate.
Result:
PingFederate uses the reference code to request the secret from the CyberArk Credential Provider and then displays whether the request succeeded.
To clear the fields and the generated reference code on the Actions tab, click Reset.
-
-
On the Summary tab, review the settings. Then, if needed, change the settings on the previous tabs.
-
Click Save.
Result:
The Secret Managers window opens, showing the new instance in the table.
Next steps
After configuring an instance of the secret manager plugin, use it to generate a reference code for a specific password in the CyberArk Credential Provider. Then you can add the reference code to the following places in PingFederate:
-
An instance of a datastore plugin for an LDAP directory, JDBC database, or REST API. For more information, see Using passwords in secret managers to access datastores.
-
The
ldap.properties
file,oauth2.properties
file, and theoidc.properties
file.