IMPLEMENTING MFA FOR CYBERARK PVWA USING UPSSO SAML
This document provides instructions to implement MFA for CyberArk Version 10 PVWA application with UPSSO SAML integration.
PREREQUISITES
Access to the Windows server hosting CyberArk PVWA IIS application server
Administrator access to PVWA web portal
Administrator access to the UPSSO portal.
CONFIGURING PVWA IN UPSSO
Login into UPSSO portal (https://<UPSSO_SERVER_HOST>).
Click on “Application Management” from the menu, click on the “+ New Record” button, and click the saml application.
3. Click on the “CYBERARK-11.4” option.
4. Enter the PVWA IP address or domain name and click on the “SAVE” button.
DOWNLOAD THE IDP CERTIFICATE
Click on “IDP Resources” from the menu, click on “DOWNLOAD IDP METADATA XML”.
2. Copy and keep the certificate text in between the <ds:X509Certificate></ds:X509Certificate> as highlighted below,
CONFIGURING CYBERARK
Login into Cyberark PVWA web portal as administrator (URL = https://<PVWA_HOST>/PasswordVault)
2. Once login, From the left-hand side menu click on the “Administration -> Configuration Options” link.
The System Configuration page will be opening. Click on the “Options” edit button.
3. From the Options menu click on the “Authentication Methods -> saml” link.
4. Enter DisplayName as “2 Factor Authentication”.
5. Select Enabled as “Yes”.
6.Enter LogoffUrl as https://<UPSSO_SERVER_HOST>/upsso/logout
7. Click on Apply and OK.
8. Under the Options menu right click on “Access Restriction” and click on “Add AllowedReferrer”.
9. Enter BaseUrl as https://< UPSSO_SERVER_HOST >
10. Click on Apply and OK.
11. Logoff from the Cyberark portal.
12. If the CyberArk version is 11.3 or above, please skip the following instructions and go to the “SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE” section.
13. Login into Cyberark PVWA IIS Windows Box. Open C:\inetpub\wwwroot\PasswordVault\web.config file to edit.
14. Add these 3 elements under <appSettings> element,
<add key="IdentityProviderLoginURL" value="https://<UPSSO_SERVER_HOST>/upsso/upsso-service" />
<add key="IdentityProviderCertificate" value="<IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>" />
<add key="Issuer" value="PasswordVault" />Replace <UPSSO_SERVER_HOST> with UPSSO server IP address or hostname.
Replace <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE> with IDP certificate. Use the certificate string copied above.
15. Save the file.
16. Restart the IIS Server which is hosting Cyberark PVWA Web Portal.
Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.
SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE
Please execute the following instructions only if the CyberArk version is 11.3 or above.
Login into CyberArk PVWA IIS Windows Box
Go to C:\inetpub\wwwroot\PasswordVault\ folder,
Make a copy of the saml.config.template file, and rename the copy to saml.config.
Edit the saml.config file as follows
SingleSignOnServiceUrl: https://<UPSSO_SERVER_HOST>/upsso/upsso-service
Certificate: <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>
PartnerIdentityProvider Name: https://<UPSSO_SERVER_HOST>/upsso/get-idp-metadata
ServiceProvider Name: https://<UPSSO_SERVER_HOST>/upsso/get-idp-metadata
5.Save the file.
6.Open the web.config file,
7.Make sure the following element is available under “<appSettings>” element,
<add key="UseNewSAMLSolution" value="Yes" />
8.Save the file.
Restart the IIS Server which is hosting CyberArk PVWA Web Portal.
Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.
CyberArk PVWA Web Portal Login with UPSSO User.
Login as a user
2. Select Cyberark Application and OTP authentication method email, SMS or other methods
3. Enter the OTP received on email, SMS, or google authenticator etc.
4. Logged into PVWA portal.
SSO BYPASS LINK FOR CYBERARK
https://<YOUR DOMAIN>.cyberark.com/PasswordVault/v10/logon/cyberark
Only administrator could login to the above link
Non-admins should go through SSO for login
NOTE : Cyberark Administrators can choose the login method as Cyberark and login with their password