[CyberArk] Enable SAML Authentication with Azure

Modified on Thu, 22 Aug, 2019 at 5:40 PM

In order to enable SAML authentication to CyberArk PAS through Azure, the following tasks should be done:


1. Inside Azure portal, create a new enterprise application and go into Single Sign-On menu.

Within edit the following settings:

Basic SAML Configuration box:

    * Identifier: PasswordVault

    * Reply URL: https://PVWA_SERVER/PasswordVault/api/auth/saml/logon

* Make sure Sign on URL, Relay State and Logout Url are left unset.

SAML Signing certificate box:

* Signing option: Sign SAML assertion

* Signing algorithm: SHA-256


    * Retrieve the Base64 certificate generated (we will need its text soon when configuring PVWA)


    User Attributes & Claims box:

Claim nameVALUE
http://schemas......./claims/emailaddressuser.mail
http://schemas......./claims/givennameuser.givenname
http://schemas......./claims/nameuser.principalname
http://schemas......./claims/nameidentifierExtractMailPrefix(user.userprincipalname)
http://schemas......./claims/surnameuser.surname

    

    Set up "App name" box:

Copy login URL

Copy logout URL


2. Configure PVWA as said in CyberArk online help:

    https://cyberarkdocu.azurewebsites.net/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/SAML-Authentication.htm?Highlight=SAML


Go into the PVWA portal and navigate to options.

Within there go to Authentication methods and into SAML.

There change Enabled to Yes, and change LogoffUrl to the <Logout URL> copied earlier.


Then, look for Access Restriction menu, right click it and add new "Add AllowedReferrer"

Write there the <login URL> copied from azure

If MFA is required, add another 2 URLS ("Add AllowedReferrer" again) and write the following URL:

https://login.microsoftonline.com/common/SAS/ProcessAuth

https://login.microsoftonline.com 

Apply and save changes.


Within the PVWA server itself, go the PasswordVault folder (can go by opening IIS manager and right clicking PasswordVault and selecting "Explore").

Edit web.config with notepad and change the following lines:
* IdentityProviderLoginURL = <Login URL> copied from Amazon

* IdentityProviderCerificate = The content of the Base64 certificate downloaded earlier (without BEGIN and END lines) - yeah it is long, no worries about new lines and such within the file

* Issuer = PasswordVault


Restart the IIS.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article