Configuring SAML for CyberArk PVWA - PingOne for Enterprise - PingFederate

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

Configure a SAML configuration for PingFederate or PingOne for Enterprise to provide single sign-on (SSO) to CyberArk.

  1. Go to Administration > Options.
  2. Expand Authentication Methods, and then select saml.
  3. In the Properties pane, enter a name in the DisplayName field to be displayed in the PVWA sign-on page.
  4. In the Enabled field, enter Yes.
    Tip:

    Choose a name that clearly identifies Ping Identity.

    A screen capture of CyberArkSAML authentication method configuration highlighting the DisplayName and Enabled fields.
  5. Go to Administration > Options
  6. In the Options pane, select Access Restriction.
  7. Right-click Access Restriction, and in the context menu, select Add Allowed Referrer.
  8. In the Properties pane, in the BaseUrl field, enter the URL of your Ping Identity tenant host.
  9. In the Regular Expression field, enter No. Click Apply.
    A screen capture of CyberArk access restrictions settings
    Note:

    Your changes are saved when the Your changes have been saved successfully modal appears.

  10. Open the PVWA web.config file and in the <appSettings> section, add the following key and value pairs:
    • addkey="IdentityProviderLoginURL" value="your identity provider login URL"
    • addkey="IdentityProviderCertificate" value="your certificate"
      Tip:

      Get an ASCII export of the certificate and remove all CR's to make the entry a single line.

    • addkey="Issuer" value="PasswordVault"
      Note:

      PasswordVault is the default value.

    A screen capture of the PVWA web.config file edited for CyberArk saml configuration.
  11. Save the file and restart IIS.