Certified: July 22, 2025
Solution Summary
This article describes the configuration steps involved in integrating CyberArk Vault with RSA ID Plus using RADIUS. Use this information to determine which use case and integration type your deployment will employ.
Use Case
CyberArk Vault can be integrated with RSA using RADIUS. When integrated, CyberArk Vault users must authenticate with RSA to sign in to CyberArk Vault.
Integration Types
RADIUS integrations provide a text-driven interface for RSA within the partner application. RADIUS provides support for most RSA authentication methods and flows.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with CyberArk Vault using each integration type.
CyberArk Vault Integration with Cloud Access Service (CAS)
| Authentication Methods | RSA MFA API (REST) | RADIUS | Relying Party | SSO |
| Approve | - | - | - | |
| LDAP Password | - | - | - | |
| SecurID OTP | - | - | - | |
| Authenticate OTP | - | - | - | |
| Device Biometrics | - | - | - | |
| SMS OTP | - | - | - | |
| Voice OTP | - | - | - | |
| FIDO Security Key | - | - | - | - |
| QR Code | - | - | - | - |
| Emergency Access Code | - | - | - |
CyberArk Vault Integration with Authentication Manager (AM)
| Authentication Methods | RSA MFA API (REST) | RADIUS | Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | - | |
| On Demand Authentication | - | - | |
| Risk-Based Authentication | - | - |
| Supported | |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible |
| n/a | Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate CyberArk Vault with RSA for cloud administrators using all of the integration types.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and CyberArk Vault components must be installed and working prior to the integration.
All the supported use cases of RSA with CyberArk Vault require both server-side and client-side configuration changes. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
CAS
AM
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Cloud Authentication Service | Cloud Access Service | |
| Token | OTP Credential | SecurID OTP Credential |
| Authenticator | Hardware Authenticator | |
| Tokencode | OTP | SecurID OTP, SMS OTP, Voice OTP |
| Access Code | Emergency Access Code | |
| SecurID Authenticate app | RSA Authenticator app | RSA Authenticator app for iOS and Android, RSA Authenticator app for Windows |
| Device | Authenticator | Register an authenticator |
| Company ID | Organization ID | |
| Account | Credential | |
| Device Serial Number | Binding ID |
Certification Details
CAS
RSA Identity Router 12.22.0.0.32
AM 8.8 P 01
PrivateArk 9.10.5
PrivateArk Client 9.10.5
Known Issues
No known issues.
