[CyberArk] Enable SAML Authentication with Azure

Modified on Thu, 22 Aug 2019 at 05:40 PM

In order to enable SAML authentication to CyberArk PAS through Azure, the following tasks should be done:

1. Inside Azure portal, create a new enterprise application and go into Single Sign-On menu.

Within edit the following settings:

Basic SAML Configuration box:

    * Identifier: PasswordVault

    * Reply URL: https://PVWA_SERVER/PasswordVault/api/auth/saml/logon

* Make sure Sign on URL, Relay State and Logout Url are left unset.

SAML Signing certificate box:

* Signing option: Sign SAML assertion

* Signing algorithm: SHA-256

    * Retrieve the Base64 certificate generated (we will need its text soon when configuring PVWA)

    User Attributes & Claims box:

Claim nameVALUE


    Set up "App name" box:

Copy login URL

Copy logout URL

2. Configure PVWA as said in CyberArk online help:


Go into the PVWA portal and navigate to options.

Within there go to Authentication methods and into SAML.

There change Enabled to Yes, and change LogoffUrl to the <Logout URL> copied earlier.

Then, look for Access Restriction menu, right click it and add new "Add AllowedReferrer"

Write there the <login URL> copied from azure

If MFA is required, add another 2 URLS ("Add AllowedReferrer" again) and write the following URL:



Apply and save changes.

Within the PVWA server itself, go the PasswordVault folder (can go by opening IIS manager and right clicking PasswordVault and selecting "Explore").

Edit web.config with notepad and change the following lines:
* IdentityProviderLoginURL = <Login URL> copied from Amazon

* IdentityProviderCerificate = The content of the Base64 certificate downloaded earlier (without BEGIN and END lines) - yeah it is long, no worries about new lines and such within the file

* Issuer = PasswordVault

Restart the IIS.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article