Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            [CyberArk] Enable SAML Authentication with Azure

            Modified on Thu, 22 Aug 2019 at 05:40 PM

            In order to enable SAML authentication to CyberArk PAS through Azure, the following tasks should be done:


            1. Inside Azure portal, create a new enterprise application and go into Single Sign-On menu.

            Within edit the following settings:

            Basic SAML Configuration box:

                * Identifier: PasswordVault

                * Reply URL: https://PVWA_SERVER/PasswordVault/api/auth/saml/logon

            * Make sure Sign on URL, Relay State and Logout Url are left unset.

            SAML Signing certificate box:

            * Signing option: Sign SAML assertion

            * Signing algorithm: SHA-256


                * Retrieve the Base64 certificate generated (we will need its text soon when configuring PVWA)


                User Attributes & Claims box:

            Claim nameVALUE
            http://schemas......./claims/emailaddressuser.mail
            http://schemas......./claims/givennameuser.givenname
            http://schemas......./claims/nameuser.principalname
            http://schemas......./claims/nameidentifierExtractMailPrefix(user.userprincipalname)
            http://schemas......./claims/surnameuser.surname

                

                Set up "App name" box:

            Copy login URL

            Copy logout URL


            2. Configure PVWA as said in CyberArk online help:

                https://cyberarkdocu.azurewebsites.net/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/SAML-Authentication.htm?Highlight=SAML


            Go into the PVWA portal and navigate to options.

            Within there go to Authentication methods and into SAML.

            There change Enabled to Yes, and change LogoffUrl to the <Logout URL> copied earlier.


            Then, look for Access Restriction menu, right click it and add new "Add AllowedReferrer"

            Write there the <login URL> copied from azure

            If MFA is required, add another 2 URLS ("Add AllowedReferrer" again) and write the following URL:

            https://login.microsoftonline.com/common/SAS/ProcessAuth

            https://login.microsoftonline.com 

            Apply and save changes.


            Within the PVWA server itself, go the PasswordVault folder (can go by opening IIS manager and right clicking PasswordVault and selecting "Explore").

            Edit web.config with notepad and change the following lines:
            * IdentityProviderLoginURL = <Login URL> copied from Amazon

            * IdentityProviderCerificate = The content of the Base64 certificate downloaded earlier (without BEGIN and END lines) - yeah it is long, no worries about new lines and such within the file

            * Issuer = PasswordVault


            Restart the IIS.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0