CyberArk Password Vault Web Access - SAML Relying Party Configuration - RSA Ready Implementation Guide
a year ago
Originally Published: 2021-10-07

This article describes how to configure RSA with CyberArk Password Vault Web Access (PVWA) using SAML Relying Party.

    

Configure RSA Cloud Authentication Service

Perform these steps to configure CyberArk PVWA as a Relying Party to RSA.

Procedure

  1. Sign in to RSA Cloud Administration Console. 
  2. Click Authentication Clients > Relying Parties.
  3. On the My Relying Parties page, click Add a Relying Party
  4. On the Relying Party Catalog page, click Add for Service Provider SAML.
  5. On the Basic Information page, enter a Name for the Service Provider in the Name field.
  6. Click the Next Step.
  7. On the Authentication page, choose SecurID Access manages all authentication.
  8. In the 2.0 Access Policy for Authentication drop-down list, select a policy which was previously configured. 
  9. Click Next Step.
  10. On the Connection Profile page, choose Enter Manually for Data Input Method
  11. Scroll down to the Service Provider section and enter the following details:
    1. ACS URL: Replace the <hostname> part in the URL to match actual hostname CyberArk uses for PVWA.
    2. Service Provider Entity ID: Entity ID for CyberArk PVWA.
  12. Under the Message Protection, in the SAML Response Protection section, choose IdP signs assertion within response.
  13. Download the certificate by clicking Download Certificate.
  14. Expand the Show Advanced Configuration section.
  15. Scroll down to the User Identity section and select the following:
    1. Identifier Type: Auto Detect
    2. Property: Auto Detect

  16. Scroll down to the Identity Provider section and take a note of the Entity ID. This will be used later in the Configure CyberArk PVWA section.
  17. Click Save and Finish.
  18. Click Publish Changes and wait for the operation to be completed.

    Your application is now enabled for SSO. 

   

Configure CyberArk PVWA

Perform these steps to configure CyberArk PVWA.
Procedure

  1. In the PasswordVault folder (default location is inetpub > wwwroot > PasswordVault) make a copy of the saml.config.template file and rename it to saml.config.
  2. Edit the saml.config file with the following parameters:
    1. ServiceProvider Name: Service Provider Entity ID set in step 11 of the RSA configuration section.
    2. PartnerIdentityProvider Name: Identity Provider URL obtained in step 16 of the RSA configuration section.
    3. SingleSignOnServiceUrl: Identity Provider URL obtained in step 16 of the RSA configuration section.
    4. Certificate: The base 64 text representation of the certificate that is downloaded from the RSA configuration section.
  3. In the command prompt, run iisreset.
  4. Log on to PVWA as an administrator.
  5. Navigate to Administration > Configuration Options > Options.
  6. Expand Authentication Methods and select saml.
  7. Set the Enabled option to Yes and update the DisplayName field to reflect what will be shown to the users. 
  8. Click Apply.
  9. In the Options pane, right-click Access Restriction, and then select Add AllowedReferrer.
  10. In the Allowed Referrer property, in BaseUrl, specify base URL part of the Identity Provider URL from the RSA configuration.
  11. Click Apply.
  12. Sign out of PVWA.

 

The configuration is complete.

Return to CyberArk Password Vault Web Access - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?