Use Cases

Configuring a PingFederate authentication policy using PingID MFA authentication for CyberArk PVWA

For CyberArk and Ping Identity best practices, deploy MFA for all single sign-on (SSO) requests to the CyberArk Password Vault Web Access (PVWA).

About this task

Integrate a PingFederate authentication policy with PingID multi-factor authentication (MFA).

The following configuration steps assume you are creating a new authentication policy specifically for MFA to the CyberArk PVWA. If other existing authentication policies are in use, modify your policy tree to perform this task.

Steps

  1. Go to Authentication → Integration → IdP Adapters.

    Result:

    The Manage IdP Adapter Instances page opens.

  2. Click Create New Instance.

  3. On the Type tab, enter a Instance Name and anInstance ID

  4. In the Type list, select the PingID Adapter 2.6 adapter type. Click Next.

  5. On the IdP Adapter tab, select Choose File and upload the PingID properties file. Click Next.

  6. On the Extended Contract tab, click Next.

  7. On the Adapter Attributes tab, select the Pseudonym checkbox for the subject attribute. Click Next.

  8. On the Adapter Contract Mapping tab, click Next.

  9. On the Summary tab, click Done to return to the Manage IdP Adapter Instances page.

  10. Click Save.

  11. Create a new authentication policy.

    These steps will help you create a new authentication policy. For general information about configuring authentication policies, see Defining authentication policies in the PingFederate documentation.

    1. Go to Authentication → → Policies to open the Authentication Policies window.

    2. On the Policies tab, select the IDP Authentication Policies checkbox. Click Add Policy.

      Result:

      A new Policy configuration page opens.

    3. Enter an authentication policy name in the Name field and a description in the Description field.

    4. In the Policy list, select HTMLForm - (Adapter).

    5. In the Fail list, click Done.

    6. In the Success list, select PingID - (Adapter).

    7. In the Fail list, select Done.

    8. In the Success list, select cyberark - (Policy Contract).

    9. In the Success list, where PingID - (Adapter) is selected, click Options.

      Result:

      A new Incoming User ID modal opens.

    10. In the Source list, select Adapter (HTMLForm).

    11. In the Attribute list, select username. Click Done to close and exit the modal.

    12. On the Policy page, click Done to return to the Authentication Policies configuration page.

    13. In the Policy Contracts section, click Contract Mapping for the CyberArk policy contract.

      Result:

      A new Authentication Policy Contract Mapping page opens.

    14. On the Attribute Sources & User Lookup tab, click Next.

    15. On the Contract Fulfillment tab, in the Source list, select Adapter (HTMLForm).

    16. In the Value list, select username. Click Next.

    17. On the Issuance Criteria tab, click Next.

    18. On the Summary tab, click Done to return to the Authentication Policies window configuration.

    19. Click Save. Click Done.