Integration with CyberArk
Overview
This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's CyberArk Privileged Access Security (PAS) users. This integration will allow your users to log in to CyberArk Password Vault Web Access (PVWA) application leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.
Before you Begin
You will need the following resources and privileges to complete this integration:
- Admin access to the following:
- BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
- CyberArk PAS instance V10.1 or higher that supports SAML integration
- Install on your mobile device:
- BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.
Assumptions
- With the above prerequisites, you should now successfully be registered and be able to login to:
- Your organization's CyberArk PAS instance with access to the administrative console.
- BlockID Admin Console application. Ensure the email address used to log in to this application is the same as the one used to log in to the CyberArk PAS account.
- Installed and registered the BlockID mobile application.
- Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.
There are two sets of configurations that need to be performed to enable this integration:
- Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk PAS.
- Configure CyberArk PAS as a Service Provider (SP) within your BlockID Tenant.
List of Topics:
- Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant
- Configure the BlockID tenant metadata
- Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant
- Test the SAML Single Sign-On Connection
Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk PVWA
Steps mentioned in the guide are given as per the workflow provided in the CyberArk PAS V10.8.0.
PVWA Web Server Configurations within the PasswordVault web.config file
The PVWA is a web application that is deployed on each Windows server for an enterprise. An administrator needs to configure the IDP details within the web.config file of each Windows server (webserver) that hosts an instance of PVWA web application.
- Locate and open the web.config file within the installation folder from the default location:
<drive>:\inetpub\wwwroot\PasswordVault
- In the web.config file, enter the following details:
- In the
<appSettings>
tag:IdentityProviderLoginURL
key: Enter your IDP sign-on URL under the value ="<LoginURLofyourIDP>
“. To get the IDP Single Sign-On URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and click on the URI link provided under the Identity provider’s column. In the IDP Service URL End Points tab, copy the URL available under the Single SignOn Service field.IdentityProviderCertificate
key: Enter the certificate details in the value section ="<certificateDetails>
“. To check the steps on getting certificate details, visit Configure the BlockID tenant metadata topic.Issuer
key: ‘PasswordVault’
- In the
For Version 11.2 and below
- From the
PasswordVault
installation folder, make a copy of thesaml.config.template
file, and rename the copy tosaml.config
.
The default location of the PasswordVault
installation folder is \Inetpub\wwwroot\PasswordVault
.
- In the saml.config file, enter the following details:
SingleSignOnServiceUrl
key: Enter your IDP sign-on URL under the value section ="<LoginURLofyourIDP>
“. To get the IDP Single Sign-On URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and click on the URI link provided under the Identity provider’s column. In the IDP Service URL End Points tab, copy the URL available under the Single SignOn Service field.Certificate
: Enter the certificate details in the value section ="<certificateDetails>
“. To check the steps on getting certificate details, visit Configure the BlockID tenant metadata topic.PartnerIdentityProvider Name
: The default value is ‘PasswordVault’. Enter the IdP identifier that enables the PVWA to identify the IDP. It is the EntityID of the IDP.ServiceProvider Name
: The Issuer string that enables the PVWA to identify itself to the IDP. Also known as the EntityID. It must be identical to the Audience defined in the IDP.
- To support signed requests:
- Add the following to the ServiceProvider element:
<LocalCertificates>
<Certificate FileName="<local certificate path>" Password="<the password you set for the certificate>" />
</LocalCertificates>
- Add the following to the ServiceProvider element:
- Add the following attribute to the PartnerIdentityProvider element:
SignAuthnRequest="true"
- To support encrypted assertion:
- Add the following within the ServiceProvider element:
<LocalCertificates>
<Certificate FileName="<the exported certificate path>" Password="<the password you set for the certificate>" />
</LocalCertificates> - Supply the certificate's public key to the IDP to encrypt the assertion.
To support force authentication, add the following attribute to the PartnerIdentityProvider element:
forceAuthn="true"
.
For Version 11.3 and above
- Open the saml.config file located in the installation folder (the default location is
\Inetpub\wwwroot\PasswordVault
), and configure the value forPartnerIdentityProvider Name
parameter. The remaining parameters are configured during the upgrade process. - Open the
web.config
file located in the installation folder, and, in theappSettings
tag, enter the value asYes
theUseNewSAMLSolution
parameter toYes
.
Configure the PVWA web application
- Login to the PVWA web application as an Administrator on the Windows server where the CyberArk application is installed.
- From the left pane, navigate to Administration > Configuration Options > Options.
- In the Options section, click Authentication Methods and click saml.
- In the Properties subsection, enter the following information:
- DisplayName: Enter the name of your identity provider. For example, Login using BlockID.
- Enabled: Select
Yes
. - LogoffUrl: Enter the logoff page of your IDP. Get this URL from the Configure the BlockID tenant metadata topic.
- Note: If you do not have the IDP logoff URL, leave this field blank. Users will be authenticated to the PVWA as long as they are authenticated to your IDP.
- Click Apply.
- In the Properties subsection, enter the following information:
- In the Options section, right-click
Access Restriction
, and select Add AllowedReferrer. - In the Properties subsection, enter the following information:
- BaseURL: Enter your domain IDP URL. To get the base IDP URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and copy the IDP link provided under the Identity provider’s column.
- Click Apply.
Configure the BlockID tenant metadata
- Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format:
https://<customer_name>.1kosmos.net/default/metadata
. The XML metadata information file is displayed. - From the XML metadata information file, copy and save the values of the following keys to use while performing the Microsoft ADFS SAML integration configuration:
- entityID: The example of its value is:
https:// <customer_name>.1kosmos.net/default/idp1
- SingleSignOnService URL:
https://<customer_name>.1kosmos.net/default/SingleSignOnService
- SingleLogoutService URL:
https://<customer_name>.1kosmos.net/default/SingleLogOutService
- X509Certificate:
- Copy the certificate details and save them in the following format:
-----BEGIN CERTIFICATE-----
Certificate details
-----END CERTIFICATE----- - Save the certificate with
.cert
extension.
- Copy the certificate details and save them in the following format:
- entityID: The example of its value is:
Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant
Set IDP Assertion Claim details
Perform the below-mentioned steps:
- Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
- In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
- Map the
nameIdentifier
towinlogin
. - Click Save.
- Map the
These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.
Add CyberArk PVWA as a Service Provider
- In the SAMLv2 screen, click Service Providers.
- On the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the CyberArk PVWA option.
- In the Onboard CyberArk PVWA as a SAMLv2 Service Provider** window, enter details for the following fields:Note:
In case, if your client do not share their CyberArk PVWA's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their CyberArk PVWA.
- Application Label: Enter the appropriate name for your organization’s CyberArk PVWA application as a service provider.
- Entity ID: Enter the unique entityId URL specified in your single-sign on settings in CyberArk PVWA. This will the same value mentioned in the
- Login URL: Enter the login URL specified in your single-sign on settings in CyberArk PVWA.
- Click Onboard CyberArk PVWA.
- Click on the newly added CyberArk PVWA as a service provider link.
- In the Edit screen:
- In the SP Core Configuration tab: check the following details are selected:
- Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
- NameID Value:
nameidentifier
.
- In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
- nameIdentifier
- In the SP Service URL End Points tab:
- Select
POST
. - Ensure CyberArk PVWA login URL is added.
- Select
- Click Confirm and Save.
- In the SP Core Configuration tab: check the following details are selected:
Test the SAML Single Sign-On Connection
- In your browser, enter your organization’s CyberArk PVWA URL. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
- On the BlockID mobile application’s Home screen, click ‘Scan QR’.
- Scan the QR code. The confirmation pop-up window is displayed asking to
Allow BlockID to access this device’s location?
. - In the confirmation pop-up window, select
Allow only while using the app
. The Authentication screen is displayed with thePlease authenticate using <Biometric_option> from 1kosmos
message. - Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with
Thank you! You have successfully authenticated to Log In
message upon successful authentication. - You will be logged in to your CyberArk PVWA account.