You can configure instances of PingFederate's datastore plugins to retrieve datastore account passwords that are stored in an external secret management system (secret manager).
Before performing this task, you must:
- Install the CyberArk Credential Manager or another secret manager
- Integrate the secret manager with PingFederate
- Add the datastore passwords to the secret manager
- Configure an instance of PingFederate's secret manager plugin to access the secret manager
Instead of storing passwords for LDAP directories, JDBC databases, and REST API datastores in PingFederate, you can securely store the passwords in a secret manager for maintaining passwords and other secrets. When PingFederate needs to access a datastore, it uses a reference code to request the password from the secret manager. However, before that can happen, you must generate a reference code for the datastore password and add it to the datastore plugin instance.
To generate a reference code for a datastore password and add it to a datastore plugin instance:
Use an instance of the secret manager plugin to generate a reference code for
the datastore's password:
In the PingFederate
administrative console, go to .
The Secret Managers window opens.
Click the name of the secret manager plugin instance.
The Secret Manager window opens.
- Go to the Actions tab.
In the Generate section, enter each
Parameter Value that PingFederate needs to retrieve the datastore
The values depend on the name and location of the password in the CyberArk Credential Provider. Optionally, you can specify in the reference code that PingFederate will also retrieve the username for the datastore account.
PingFederate generates and displays the password's reference code. The code is composed of obfuscation code
OBF:MGR, the plugin instance's ID, and the parameters you specify on this tab.
- Copy the reference code.
To verify that PingFederate can use the
reference code to retrieve a password, paste the code into the
Secret Reference field. Then click
PingFederate requests the password from the CyberArk Credential Provider and then displays whether the request succeeded.
- In the PingFederate administrative console, go to .
Add the password's reference code to the datastore plugin instance using one of
the following methods, depending on whether the plugin is for an LDAP directory,
JDBC database, or REST API datastore:
- For an LDAP directory, go to the plugin instance's LDAP Configuration tab, set Credential Storage to Secret Manager, and enter the Password Reference code that you generated above.
- For a JDBC database, go to the plugin instance's Database Config tab, set Credential Storage to Secret Manager, and enter the Password Reference code that you generated above.
- For a REST API datastore, go to the plugin instance's Configure Data Store Instance tab, and enter the Password Reference code that you generated above.
If you configured the reference code with Retrieve Username enabled, PingFederate will ignore the username defined in the datastore plugin instance.