--- title: Integrating CyberArk with Ping products for SSO and authentication description: This guide provides information for configuring a SAML connection to the CyberArk solution from the PingFederate or PingOne for Enterprise single sign-on (SSO) solutions while leveraging PingID for multi-factor authentication (MFA). component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_integrate_cyberark_ping_prod_sso_authn canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_integrate_cyberark_ping_prod_sso_authn.html revdate: August 10, 2023 page_aliases: ["single_sign-on_use_cases:htg_integrate_cyberark_sso_authn_p14e.adoc", "single_sign-on_use_cases:htg_integrate_cyberark_sso_authn_pf.adoc", "single_sign-on_use_cases:htg_integrate_cyberark_sso_authn_saml_pvwa.adoc", "ingle_sign-on_use_cases:htg_integrate_cyberark_description_diagram.adoc"] section_ids: components: Components integrating-cyberark-with-pingone-for-enterprise: Integrating CyberArk with PingOne for Enterprise integrating-cyberark-with-pingfederate: Integrating CyberArk with PingFederate configuring-saml-for-cyberark-pvwa: Configuring SAML for CyberArk PVWA steps: Steps product-cyberark-description-diagram: Product integration and overview product-integration-description-and-diagram: Product integration description and diagram pingfederate-overview: PingFederate overview pingone-for-enterprise-overview: PingOne for Enterprise Overview pingid-overview: PingID Overview --- # Integrating CyberArk with Ping products for SSO and authentication This guide provides information for configuring a SAML connection to the CyberArk solution from the PingFederate or PingOne for Enterprise single sign-on (SSO) solutions while leveraging PingID for multi-factor authentication (MFA). MFA is strongly advised and is the best practice for all authentication to the CyberArk Privileged Vault. For more information, see [Product integration and overview](#product-cyberark-description-diagram). ## Components * PingFederate 10.0 * PingOne for Enterprise * PingID ## Integrating CyberArk with PingOne for Enterprise You can integrate CyberArk with PingOne for Enterprise using a SAML connection for CyberArk PVWA or an authentication policy for PingID MFA using CyberArk PVWA. Click the tab for the configuration that you want to see. ## Integrating CyberArk with PingFederate You can integrate CyberArk with PingFederate using a SAML connection for CyberArk PVWA or an authentication policy for PingID MFA using CyberArk PVWA. Click the tab for the configuration that you want to see. ## Configuring SAML for CyberArk PVWA Configure a SAML configuration for PingFederate or PingOne for Enterprise to provide single sign-on (SSO) to CyberArk. ### Steps 1. Go to **Administration → Options**. 2. Expand **Authentication Methods**, and then select **saml**. 3. In the **Properties** pane, enter a name in the **DisplayName** field to be displayed in the PVWA sign-on page. 4. In the **Enabled** field, enter **Yes**. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Choose a name that clearly identifies Ping Identity.![A screen capture of CyberArkSAML authentication method configuration highlighting the DisplayName and Enabled fields.](_images/puu1589408732685.png) | 5. Go to **Administration → Options** 6. In the **Options** pane, select **Access Restriction**. 7. Right-click **Access Restriction**, and in the context menu, select **Add Allowed Referrer**. 8. In the **Properties** pane, in the **BaseUrl** field, enter the URL of your Ping Identity tenant host. 9. In the **Regular Expression** field, enter **No**. Click **Apply**. ![A screen capture of CyberArk access restrictions settings](_images/kxm1589408817450.png) | | | | - | -------------------------------------------------------------------------------------------- | | | Your changes are saved when the **Your changes have been saved successfully** modal appears. | 10. Open the PVWA `web.config` file and in the `` section, add the following key and value pairs: * `addkey="IdentityProviderLoginURL" value="your identity provider login URL"` * `addkey="IdentityProviderCertificate" value="your certificate"` | | | | - | ------------------------------------------------------------------------------------------- | | | Get an ASCII export of the certificate and remove all CR's to make the entry a single line. | * `addkey="Issuer" value="PasswordVault"` | | | | - | ------------------------------------- | | | `PasswordVault` is the default value. | ![A screen capture of the PVWA web.config file edited for CyberArk saml configuration.](_images/rsr1589408920555.png) 11. Save the file and restart IIS. ## Product integration and overview ### Product integration description and diagram ![A diagram of CyberArk and PingIdentity Product' Integration](_images/tqk1589409335304.png) 1. The user initiates an identity provider (IdP) URL to access CyberArk. The IdP solution (PingOne for Enterprise or PingFederate) validates the user through the configured authentication flow. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | (Not shown) Alternatively, the user could attempt to access CyberArk directly. CyberArk would redirect the user to step 1 with a SAML request to validate the user. | 2. PingFederate or PingOne for Enterprise invokes the PingID MFA process. 3. After the MFA process is completed, the IdP solution redirects the user's browser to CyberArk with a SAML assertion. 4. (Not shown) CyberArk validates the SAML assertion and grants access. ### PingFederate overview PingFederate enables: * Outbound and inbound solutions for SSO * Federated identity management * Customer identity and access management (CIAM) * Mobile identity security * API security * Social identity integration Browser-based SSO extends employee, customer, and partner identities across domains without passwords, using only standard identity protocols, such as SAML, WS-Fed, WS-Trust, OAuth and OpenID Connect, and SCIM. For more information, see [PingFederate Introduction](https://docs.pingidentity.com/pingfederate/12.3/introduction_to_pingfederate/pf_intro_to_pf.html). ### PingOne for Enterprise Overview PingOne for Enterprise is a cloud-based identity as a service (IDaaS) framework for secure identity access management. Use PingOne for Enterprise to give members of your organization secure SSO to cloud applications. For more information, see [PingOne for Enterprise overview](https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_overview.html). ### PingID Overview PingID is a cloud-based authentication service that binds user identities to devices. During the PingID authentication process, the PingID service sends an authentication request to the user's device, requiring no password response: the user just swipes to authenticate. For more information, see [introduction to PingID](https://docs.pingidentity.com/pingid/introduction_to_pingid/pid_introduction.html).