This document provides instructions to implement MFA for CyberArk Version 10 PVWA application with UPSSO SAML integration.

PREREQUISITES

  • Access to the Windows server hosting CyberArk PVWA IIS application server

  • Administrator access to PVWA web portal

  • Administrator access to the UPSSO portal.

CONFIGURING PVWA IN UPSSO

  1. Login into UPSSO portal (https://<UPSSO_SERVER_HOST>).

  2. Click on “Application Management” from the menu, click on the “+ New Record” button, and click the saml application.

3. Click on the “CYBERARK-11.4” option.

4. Enter the PVWA IP address or domain name and click on the “SAVE” button.

DOWNLOAD THE IDP CERTIFICATE

  1. Click on “IDP Resources” from the menu, click on “DOWNLOAD IDP METADATA XML”.

2. Copy and keep the certificate text in between the <ds:X509Certificate></ds:X509Certificate> as highlighted below,

CONFIGURING CYBERARK

  1. Login into Cyberark PVWA web portal as administrator (URL = https://<PVWA_HOST>/PasswordVault)

2. Once login, From the left-hand side menu click on the “Administration -> Configuration Options” link.

The System Configuration page will be opening. Click on the “Options” edit button.

3. From the Options menu click on the “Authentication Methods -> saml” link.

4. Enter DisplayName as “2 Factor Authentication”.

5. Select Enabled as “Yes”.

6.Enter LogoffUrl as https://<UPSSO_SERVER_HOST>/upsso/logout

7. Click on Apply and OK.

8. Under the Options menu right click on “Access Restriction” and click on “Add AllowedReferrer”.

9. Enter BaseUrl as https://< UPSSO_SERVER_HOST >

10. Click on Apply and OK.

11. Logoff from the Cyberark portal.

12. If the CyberArk version is 11.3 or above, please skip the following instructions and go to the “SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE” section.

13. Login into Cyberark PVWA IIS Windows Box. Open C:\inetpub\wwwroot\PasswordVault\web.config file to edit.

14. Add these 3 elements under <appSettings> element,

<add key="IdentityProviderLoginURL" value="https://<UPSSO_SERVER_HOST>/upsso/upsso-service" />

<add key="IdentityProviderCertificate" value="<IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>" />

<add key="Issuer" value="PasswordVault" />
CODE

Replace <UPSSO_SERVER_HOST> with UPSSO server IP address or hostname.

Replace <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE> with IDP certificate. Use the certificate string copied above.

15. Save the file.

16. Restart the IIS Server which is hosting Cyberark PVWA Web Portal.

Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.

SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE

Please execute the following instructions only if the CyberArk version is 11.3 or above.

  1. Login into CyberArk PVWA IIS Windows Box

  2. Go to C:\inetpub\wwwroot\PasswordVault\ folder,

  3. Make a copy of the saml.config.template file, and rename the copy to saml.config.

  4. Edit the saml.config file as follows

SingleSignOnServiceUrl: https://<UPSSO_SERVER_HOST>/upsso/upsso-service

Certificate: <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>

PartnerIdentityProvider Name: https://<UPSSO_SERVER_HOST>/upsso/get-idp-metadata

ServiceProvider Name: https://<UPSSO_SERVER_HOST>/upsso/get-idp-metadata

5.Save the file.

6.Open the web.config file,

7.Make sure the following element is available under “<appSettings>” element,

<add key="UseNewSAMLSolution" value="Yes" />

8.Save the file.

Restart the IIS Server which is hosting CyberArk PVWA Web Portal.

Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.

CyberArk PVWA Web Portal Login with UPSSO User.

  1. Login as a user

2. Select Cyberark Application and OTP authentication method email, SMS or other methods

3. Enter the OTP received on email, SMS, or google authenticator etc.

4. Logged into PVWA portal.

SSO BYPASS LINK FOR CYBERARK

https://<YOUR DOMAIN>.cyberark.com/PasswordVault/v10/logon/cyberark

Only administrator could login to the above link

Non-admins should go through SSO for login

NOTE : Cyberark Administrators can choose the login method as Cyberark and login with their password