Configuring instances of the secret manager plugin for the CyberArk Credential Provider - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

To give PingFederate access to datastore credentials stored in your CyberArk Credential Provider, configure an instance of the CyberArk Credential Provider secret manager plugin.

Install the CyberArk Credential Provider and integrate it with PingFederate. For more information, see Integrating with the CyberArk Credential Provider.

Note:

When configuring instances of the secret manager plugin, you need information about your secret manager's configuration. You also need information about the contents of your secret manager to generate reference codes for its contents.

To configure an instance of the secret manager plugin that provides access to the CyberArk Credential Provider:

  1. In the PingFederate administrative console, go to System > External Systems > Secret Managers.

    The Secret Managers window opens.

  2. Click Create New Instance.

    The Create Secret Manager Instance window opens.

  3. Configure the Type tab settings:
    1. Enter an Instance Name and a unique Instance ID.
    2. In the Type menu, select CyberArk Credential Provider.
    3. Optional: To make this new secret manager instance the child of an existing instance, select the Parent Instance.
  4. Configure the Instance Configuration tab according to the settings of your CyberArk Credential Provider.

    The App ID is the unique ID of the PingFederate application configured in the CyberArk Credential Provider.

  5. Optional: On the Actions tab, verify that you can generate a valid reference code for a credential stored in the CyberArk Credential Provider:
    1. In the Generate section, enter each Parameter Value that PingFederate needs to retrieve a specific secret.

      The values depend on the name and location of the secret in the CyberArk Credential Provider. Optionally, you can specify in the reference code that PingFederate will also retrieve the username for the datastore account.

    2. Click Generate.

      PingFederate generates and displays the secret's reference code. The code is composed of obfuscation prefix OBF:MGR, the plugin instance's ID, and the parameters you specify on this tab.

    3. Copy the reference code.
    4. In the Validate section, paste the code into the Secret Reference field.
    5. Click Validate.

      PingFederate uses the reference code to request the secret from the CyberArk Credential Provider and then displays whether the request succeeded.

    Tip:

    To clear the fields and the generated reference code on the Actions tab, click Reset.

  6. On the Summary tab, review the settings. Then, if needed, change the settings on the previous tabs.
  7. Click Save.

    The Secret Managers window opens, showing the new instance in the table.

After configuring an instance of the secret manager plugin, use it to generate a reference code for a specific password in the CyberArk Credential Provider. Then you can add the reference code to the following places in PingFederate: