Integration with CyberArk

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's CyberArk Privileged Access Security (PAS) users. This integration will allow your users to log in to CyberArk Password Vault Web Access (PVWA) application leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

1. Admin access to the following:
   • BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
   • CyberArk PAS instance V10.1 or higher that supports SAML integration
2. Install on your mobile device:
   • BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.

Assumptions

1. With the above prerequisites, you should now successfully be registered and be able to login to:
   • Your organization's CyberArk PAS instance with access to the administrative console.
   • BlockID Admin Console application. Ensure the email address used to log in to this application is the same as the one used to log in to the CyberArk PAS account.
2. Installed and registered the BlockID mobile application.
   • Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk PAS.
2. Configure CyberArk PAS as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk PAS

• Create a claims provider trust using metadata

2. Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant
   • PVWA Web Server Configurations within the PasswordVault web.config file
     • For Version 11.2 and below:
     • For Version 11.3 and above:
   • Configure the PVWA web application:
3. Configure the BlockID tenant metadata
4. Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant
5. Test the SAML Single Sign-On Connection

Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk PVWA

Note:

Steps mentioned in the guide are given as per the workflow provided in the CyberArk PAS V10.8.0.

PVWA Web Server Configurations within the PasswordVault web.config file

The PVWA is a web application that is deployed on each Windows server for an enterprise. An administrator needs to configure the IDP details within the web.config file of each Windows server (webserver) that hosts an instance of PVWA web application.

1. Locate and open the web.config file within the installation folder from the default location: <drive>:\inetpub\wwwroot\PasswordVault
2. In the web.config file, enter the following details:
   • In the <appSettings> tag:
     • IdentityProviderLoginURL key: Enter your IDP sign-on URL under the value ="<LoginURLofyourIDP>“. To get the IDP Single Sign-On URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and click on the URI link provided under the Identity provider’s column. In the IDP Service URL End Points tab, copy the URL available under the Single SignOn Service field.
     • IdentityProviderCertificate key: Enter the certificate details in the value section ="<certificateDetails>“. To check the steps on getting certificate details, visit Configure the BlockID tenant metadata topic.
     • Issuer key: ‘PasswordVault’

For Version 11.2 and below

1. From the PasswordVault installation folder, make a copy of the saml.config.template file, and rename the copy to saml.config.

tip

The default location of the PasswordVault installation folder is \Inetpub\wwwroot\PasswordVault.

2. In the saml.config file, enter the following details:
   • SingleSignOnServiceUrl key: Enter your IDP sign-on URL under the value section ="<LoginURLofyourIDP>“. To get the IDP Single Sign-On URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and click on the URI link provided under the Identity provider’s column. In the IDP Service URL End Points tab, copy the URL available under the Single SignOn Service field.
   • Certificate: Enter the certificate details in the value section ="<certificateDetails>“. To check the steps on getting certificate details, visit Configure the BlockID tenant metadata topic.
   • PartnerIdentityProvider Name: The default value is ‘PasswordVault’. Enter the IdP identifier that enables the PVWA to identify the IDP. It is the EntityID of the IDP.
   • ServiceProvider Name: The Issuer string that enables the PVWA to identify itself to the IDP. Also known as the EntityID. It must be identical to the Audience defined in the IDP.
3. To support signed requests:
   • Add the following to the ServiceProvider element:

     <LocalCertificates>
     <Certificate FileName="<local certificate path>" Password="<the password you set for the certificate>" />
     </LocalCertificates>
4. Add the following attribute to the PartnerIdentityProvider element: SignAuthnRequest="true"
5. To support encrypted assertion:
   • Add the following within the ServiceProvider element:

   <LocalCertificates>
   <Certificate FileName="<the exported certificate path>" Password="<the password you set for the certificate>" />
   </LocalCertificates>
6. Supply the certificate's public key to the IDP to encrypt the assertion. To support force authentication, add the following attribute to the PartnerIdentityProvider element: forceAuthn="true".

For Version 11.3 and above

1. Open the saml.config file located in the installation folder (the default location is \Inetpub\wwwroot\PasswordVault), and configure the value for PartnerIdentityProvider Name parameter. The remaining parameters are configured during the upgrade process.
2. Open the web.config file located in the installation folder, and, in the appSettings tag, enter the value as Yes the UseNewSAMLSolution parameter to Yes.

Configure the PVWA web application

1. Login to the PVWA web application as an Administrator on the Windows server where the CyberArk application is installed.
2. From the left pane, navigate to Administration > Configuration Options > Options.
3. In the Options section, click Authentication Methods and click saml.
   • In the Properties subsection, enter the following information:
     • DisplayName: Enter the name of your identity provider. For example, Login using BlockID.
     • Enabled: Select Yes.
     • LogoffUrl: Enter the logoff page of your IDP. Get this URL from the Configure the BlockID tenant metadata topic.
     • Note: If you do not have the IDP logoff URL, leave this field blank. Users will be authenticated to the PVWA as long as they are authenticated to your IDP.
     • Click Apply.
4. In the Options section, right-click Access Restriction, and select Add AllowedReferrer.
5. In the Properties subsection, enter the following information:
6. BaseURL: Enter your domain IDP URL. To get the base IDP URL from your BlockID Admin Console, navigate to *Administration Console > Federation > SAMLv2* and copy the IDP link provided under the Identity provider’s column.
7. Click Apply.

Configure the BlockID tenant metadata

1. Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format: https://<customer_name>.1kosmos.net/default/metadata. The XML metadata information file is displayed.
2. From the XML metadata information file, copy and save the values of the following keys to use while performing the Microsoft ADFS SAML integration configuration:
   • entityID: The example of its value is: https:// <customer_name>.1kosmos.net/default/idp1
   • SingleSignOnService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService
   • SingleLogoutService URL: https://<customer_name>.1kosmos.net/default/SingleLogOutService
   • X509Certificate:
     • Copy the certificate details and save them in the following format:

       -----BEGIN CERTIFICATE-----
       Certificate details
       -----END CERTIFICATE-----
     • Save the certificate with .cert extension.

Configure CyberArk PVWA as a Service Provider (SP) within your BlockID Tenant

Set IDP Assertion Claim details

Perform the below-mentioned steps:

1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
   • Map the nameIdentifier to winlogin.
   • Click Save.

Note:

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add CyberArk PVWA as a Service Provider

1. In the SAMLv2 screen, click Service Providers.
2. On the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the CyberArk PVWA option.
3. In the Onboard CyberArk PVWA as a SAMLv2 Service Provider** window, enter details for the following fields:
   Note:

   In case, if your client do not share their CyberArk PVWA's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their CyberArk PVWA.

   • Application Label: Enter the appropriate name for your organization’s CyberArk PVWA application as a service provider.
   • Entity ID: Enter the unique entityId URL specified in your single-sign on settings in CyberArk PVWA. This will the same value mentioned in the
   • Login URL: Enter the login URL specified in your single-sign on settings in CyberArk PVWA.
   • Click Onboard CyberArk PVWA.
4. Click on the newly added CyberArk PVWA as a service provider link.
5. In the Edit screen:
   • In the SP Core Configuration tab: check the following details are selected:
     • Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
     • NameID Value: nameidentifier.
   • In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
     • nameIdentifier
   • In the SP Service URL End Points tab:
     • Select POST.
     • Ensure CyberArk PVWA login URL is added.
   • Click Confirm and Save.

Test the SAML Single Sign-On Connection

1. In your browser, enter your organization’s CyberArk PVWA URL. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
2. On the BlockID mobile application’s Home screen, click ‘Scan QR’.
3. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
4. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
5. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.
6. You will be logged in to your CyberArk PVWA account.