CyberArk Password Vault Web Access - SAML My Page SSO Configuration - RSA Ready Implementation Guide
a year ago
Originally Published: 2021-10-07

This article describes how to integrate CyberArk Password Vault Web Access (PVWA) with RSA Cloud Authentication Service using My Page SSO.

    

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA using My Page SSO.

Procedure 

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Click Create From Template and select SAML Direct.
  3. On the Basic Information page, choose Cloud.
  4. Enter the name for the application and click Next Step.
  5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
  6. Scroll down to the Service Provider section and enter the following details:
    1. ACS URL: Replace the <hostname> part in the URL to match actual hostname CyberArk uses for PVWA.
    2. Service Provider Entity ID: Entity ID for CyberArk PVWA.
  7. Scroll down to the Identity Provider section and make a note of the Identity Provider URL, which is required for the CyberArk PVWA configuration.
     
  8. Under Show IdP Advanced Configuration, proceed with the Default option for Identity Provider Entity ID and Audience for SAML Response.
  9. Under Message Protection, in the SAML Response Protection section, choose IdP signs assertion within response
  10. Download the certificate by clicking Download Certificate.
  11. Scroll down to the User Identity section and select the following:
    1. Identifier Type: Auto Detect
    2. Property: Auto Detect
  12. Click Next Step.
  13. In the Access Policy section, choose the policy for the application in the drop-down list.
     
  14. Click Next Step and click Save and Finish.
  15. Click Publish Changes and wait for the operation to be completed.

    Your application is now enabled for SSO. 

    

Configure CyberArk PVWA

Perform these steps to configure CyberArk PVWA.
Procedure

  1. In the PasswordVault folder (default location is inetpub > wwwroot > PasswordVault) make a copy of the saml.config.template file and rename it to saml.config.
  2. Edit the saml.config file with the following parameters:
    1. ServiceProvider Name: Service Provider Entity ID set in step 6 of the RSA configuration section.
    2. PartnerIdentityProvider Name: Identity Provider URL obtained in step 7 of the RSA configuration section.
    3. SingleSignOnServiceUrl: Identity Provider URL obtained in step 7 of the RSA configuration section.
    4. Certificate: The base 64 text representation of the certificate that is downloaded from the RSA configuration section.
  3. In the command prompt, run iisreset.
  4. Log on to Password Vault Web Access as an administrator.
  5. Navigate to Administration > Configuration Options > Options.
  6. Expand Authentication Methods and select saml.
  7. Set the Enabled option to Yes and update the DisplayName field to reflect what will be shown to the users. 
  8. Click Apply.
  9. In the Options pane, right-click Access Restriction, and then select Add AllowedReferrer.
  10. In the Allowed Referrer property, in BaseUrl, specify base URL part of the Identity Provider URL from the RSA configuration.
  11. Click Apply.
  12. Sign out of PVWA.

 

The configuration is complete.

Return to CyberArk Password Vault Web Access - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?