PingFederate Server

CyberArk’s authentication methods

CyberArk administrators can configure one or more authentication methods between the CyberArk Credential Provider and its Vault.

The Credential Provider supports any combination of the following authentication methods:

  • Hash

  • OS user

  • Allowed machines

  • Path

For information about CyberArk’s authentication methods, see Application authentication methods in the CyberArk documentation.

The following sections provide additional information specific to using the hash authentication method and OS user authentication method with PingFederate.

Hash authentication method

For information about using the hash authentication method, see Authenticate with a hash value in the CyberArk documentation.

The hash changes when you perform a major or minor upgrade, or a maintenance update, of PingFederate. So you must regenerate the hash after an upgrade or update, otherwise PingFederate won’t be able to retrieve credentials from CyberArk.

The following syntax and examples show how to use CyberArk’s aimgetappinfo utility to generate a hash in Linux and Windows environments.

Linux syntax

aimgetappinfo GetHash -FilePath "<path to>/pf-core-plugins.jar"

Linux example command and its output

/opt/CARKaim/bin$ ./aimgetappinfo GetHash
   -FilePath "/home/imok/Downloads/pingfederate-11.0.0/pingfederate/server/default/lib/pf-core-plugins.jar"
<generated hash>
Command ended successfully

Windows syntax

AIMGetAppInfo GetHash /FilePath "<path to>\pf-core-plugins.jar"

Windows example command and its output

C:\Program Files (x86)\CyberArk\ApplicationPasswordProvider\Utils>AIMGetAppInfo GetHash
   /FilePath "C:\Users\Administrator\Downloads\pingfederate-11.0.0\pingfederate\server\default\lib\pf-core-plugins.jar"
<generated hash>
Command ended successfully

OS user authentication method

For information about the OS user authentication method, see .cyberark.com/Product-Doc/OnlineHelp/AAM-CP/12.1/en/Content/CP%20and%20ASCP/Application-Authentication-Methods-general.htm?tocpath=Administration%7CManage%20applications%7CApplication%20authentication%7CApplication%20authentication%20methods%7C_0//[OS user authentication] in the CyberArk documentation.

In a Windows environment, if the PingFederate Windows service is installed or configured with Log On As: Local System, the CyberArk admin must enter NT AUTHORITY\SYSTEM as the OS user entry.