Use Cases

Configuring a PingFederate SAML connection for CyberArk PVWA

Set up a SAML connection using PingFederate for CyberArk Password Vault Web Access (PVWA).

Steps

  1. Go to Applications → Integration → SP Connections, and click Create Connection.

    Result:

    The SP Connection page opens.

    Screen capture showing the Connection Template tab on the SP Connection page with the "Do not use a template for this connection" option selected

  2. On the Connection Template tab, select Do not use a template for this connection. Click Next.

  3. On the Connection Type tab, select the Browser SSO Profiles checkbox. Click Next.

  4. On the Connection Options tab, make sure that the Browser SSO checkbox is selected. Click Next.

  5. On the Import Metadata tab, select None. Click Next.

  6. On the General Info tab:

    1. In the Partners Entity ID (Connection ID) field, enter PasswordVault.

    2. Enter a Connection Name value.

    3. Click Next.

  7. On the Browser SSO tab, click Configure Browser SSO.

    Result:

    The Browser SSO page opens.

    Screen capture showing the SAML Profiles tab on the Browser SSO page

  8. On the SAML Profiles tab, select the IDP-Initiated SSO and SP-Initiated SSO checkboxes. Click Next.

  9. On the Assertion Lifetime tab, in the Minutes Before and Minutes After fields, either leave the default setting of 5 or enter a different parameter value. Click Next.

  10. On the Assertion Creation tab, click Configure Assertion Creation.

    Result:

    A new Assertion Creation page opens.

    Screen capture showing the Identity Mapping tab on the Assertion Creation page with the "Standard" option selected.

  11. On the Identity Mapping tab, select Standard as the type of name identifier to send to the service provider. Click Next.

  12. On the Attribute Contract tab, in the SAML_SUBJECT row, in the Subject Name Format list, select an option. Click Next.

    The Extend the Contract field isn’t required.

  13. Add a policy contract:

    Choose from:

    • Select an existing policy contract by clicking on its name.

    • Create a new policy contract adapter for authentication:

      1. On the Authentication Source Mapping tab, click Map New Authentication Policy.

        The Authentication Policy Mapping page opens.

        Screen capture showing the Authentication Policy Contract tab on the Authentication Policy Mapping page

      2. On the Authentication Policy Contract tab, click Manage Policy Contracts.

      The Policy Contracts page opens.

      Screen capture showing the Policy Contracts page

      1. Click Create New Contract.

    The Authentication Policy Contract page opens.

    Screen capture showing the Contract Info tab on the Authentication Policy Contract page

    1. On the Contract Info tab, in the Contract Namefield, enter a name. Click Next.

    2. On the Contract Attributes tab, click Next.

    3. On the Summary tab, click Save.

    4. Click Done to return to the Authentication Policy Mapping page.

  14. Map the authentication policy:

    1. On the Authentication Policy Contract tab, in the Authentication Policy Contract list, select the desired policy contract. Click Next.

    2. On the Mapping Method tab, click Next.

    3. On the Attribute Contract Fulfillment tab, in the Source list, select an option.

    4. In the Value field, enter a value.

    5. Click Next.

    6. On the Issuance Criteria tab, click Next.

    7. On the Summary tab, click Done to return to the Assertion Creation page.

    8. On the Authentication Source Mapping tab, click Next.

    9. On the Summary tab, click Done to return to the Browser SSO page.

  15. Configure the protocol settings:

    1. On the Assertion Creation tab, click Next.

    2. On the Protocol Settings tab, click Configure Protocol Settings.

      Result:

      A new Protocol Settings page opens.

      Screen capture showing the Assertion Customer Service URL tab on the Protocol Settings page

    3. On the Assertion Consumer Service URL tab, enter the values as described in the following table.

      Value Entry

      Index

      0

      Binding

      POST

      Endpoint URL

      • For PVWA version 9, enter https://<your PVWA address>/passwordvault/auth/saml/.

      • For PVWA version 10, enter https://<your PVWA address>/passwordvault/api/auth/saml/logon.

    4. To set a particular assertion consumer URL as the default, select the Default checkbox in the applicable row and click Add. Click Next.

    5. On the Allowable SAML Bindings tab, clear the Artifact and SOAP checkboxes. Click Next.

    6. On the Signature Policy tab, make sure that all the checkboxes are cleared. Click Next.

      By default, no checkboxes are selected.

    7. On the Encryption Policy tab,verify the None is selected. Click Next.

    8. On the Summary tab, click Done to return to the Browser SSO page.

    9. On the Protocol Settings tab, click Next.

    10. On the Summary tab, click Done to return to the SP Connection page.

  16. On the Browser SSO tab, click Next.

  17. Complete the credentials configuration:

    1. On the Credentials tab, click Configure Credentials.

      Result:

      The Credentials page opens.

      Screen capture showing the Digital Signature Settings tab on the Credentials window

    2. In the Signing Certificate list, select the option to use for CyberArk (RSA SAH256).

      This certificate is provided to CyberArk in the SAML validation process.

    3. Click Next.

    4. On the Summary tab, click Done to return to the SP Connection page.

    5. On the Credentials tab, click Next.

  18. On the Activation & Summary tab, from the SSO Application Endpoint field, copy the IdP-initiated URL.

  19. Click Save.