To give PingFederate access to datastore credentials stored in your CyberArk Credential Provider, configure an instance of the CyberArk Credential Provider secret manager plugin.
Install the CyberArk Credential Provider and integrate it with PingFederate. For more information, see Integrating with the CyberArk Credential Provider.
When configuring instances of the secret manager plugin, you need information about your secret manager's configuration. You also need information about the contents of your secret manager to generate reference codes for its contents.
To configure an instance of the secret manager plugin that provides access to the CyberArk Credential Provider:
In the PingFederate administrative
console, go to .
The Secret Managers window opens.
Click Create New Instance.
The Create Secret Manager Instance window opens.
Configure the Type tab settings:
- Enter an Instance Name and a unique Instance ID.
- In the Type menu, select CyberArk Credential Provider.
- Optional: To make this new secret manager instance the child of an existing instance, select the Parent Instance.
Configure the Instance Configuration tab according to
the settings of your CyberArk Credential Provider.
The App ID is the unique ID of the PingFederate application configured in the CyberArk Credential Provider.
On the Actions tab, verify that you can generate a valid
reference code for a credential stored in the CyberArk Credential
In the Generate section, enter each
Parameter Value that PingFederate needs to retrieve a
The values depend on the name and location of the secret in the CyberArk Credential Provider. Optionally, you can specify in the reference code that PingFederate will also retrieve the username for the datastore account.
PingFederate generates and displays the secret's reference code. The code is composed of obfuscation prefix
OBF:MGR, the plugin instance's ID, and the parameters you specify on this tab.
- Copy the reference code.
- In the Validate section, paste the code into the Secret Reference field.
PingFederate uses the reference code to request the secret from the CyberArk Credential Provider and then displays whether the request succeeded.
To clear the fields and the generated reference code on the Actions tab, click Reset.
- In the Generate section, enter each Parameter Value that PingFederate needs to retrieve a specific secret.
- On the Summary tab, review the settings. Then, if needed, change the settings on the previous tabs.
The Secret Managers window opens, showing the new instance in the table.
After configuring an instance of the secret manager plugin, use it to generate a reference code for a specific password in the CyberArk Credential Provider. Then you can add the reference code to the following places in PingFederate:
- An instance of a datastore plugin for an LDAP directory, JDBC database, or REST API. For more information, see Using passwords in secret managers to access datastores.
oauth2.propertiesfile, and the