IMPLEMENTING MFA FOR CYBERARK PVWA USING UPSSO SAML

This document provides instructions to implement MFA for CyberArk Version 10 PVWA application with UPSSO SAML integration.

PREREQUISITES

  • Access to the Windows server hosting CyberArk PVWA IIS application server
  • Administrator access to PVWA web portal
  • Administrator access to the UPSSO portal.

CONFIGURING PVWA IN UPSSO

  1. Login into UPSSO portal (https://<UPSSO_SERVER_HOST>) as administrator.
  2. Click on “Application Management” from the menu.

3. Click on “Add Application” plus button as highlighted below,

4. Click on the “CYBERARK-10” option.

5. Enter the PVWA IP address or domain name and click on the “SAVE” button.

COPY CERTIFICATE STRING

  1. Click on “IDP Resources” from the menu.

2. Click on “DOWNLOAD IDP METADATA XML”

3. Copy and keep the certificate text in between the <ds:X509Certificate></ds:X509Certificate> as highlighted below,

CONFIGURING CYBERARK

  1. Login into Cyberark PVWA web portal as administrator (URL = https://<PVWA_HOST>/PasswordVault)

2. Once login, From the left-hand side menu click on “Administration -> Configuration Options” link. The System Configuration page will be opening. Click on the “Options” edit button.

3. From the Options menu click on the “Authentication Methods -> saml” link.

4. Enter DisplayName as “2 Factor Authentication”.

5. Select Enabled as “Yes”.

6. Enter LogoffUrl as https://<UPSSO_SERVER_HOST>/upsso/logout

7. Click on Apply and OK.

8. Under Options menu right click on “Access Restriction” and click on “Add AllowedReferrer”.

9. Enter BaseUrl as https://< UPSSO_SERVER_HOST >

10. Click on Apply and OK.

11. Logoff from Cyberark portal.

12. If the CyberArk version is 11.3 or above, please skip the following instructions and go to the “SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE” section.

13. Login into Cyberark PVWA IIS Windows Box. Open C:\inetpub\wwwroot\PasswordVault\web.config file to edit.

14. Add these 3 elements under <appSettings> element,

<add key="IdentityProviderLoginURL" value="https://<UPSSO_SERVER_HOST>/upsso/upsso-service" />

<add key="IdentityProviderCertificate" value="<IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>" />

<add key="Issuer" value="PasswordVault" />

Replace <UPSSO_SERVER_HOST> with UPSSO server IP address or hostname.

Replace <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE> with IDP certificate. Use the certificate string copied above.

15. Save the file.

16. Restart the IIS Server which is hosting Cyberark PVWA Web Portal.

Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.

SAML SP CONFIGURATION FOR CYBERARK VERSION 11.3 OR ABOVE

Please execute the following instructions only if CyberArk version is 11.3 or above.

  1. Login into CyberArk PVWA IIS Windows Box
  2. Go to C:\inetpub\wwwroot\PasswordVault\ folder,
  3. Make a copy of the saml.config.template file, and rename the copy to saml.config.
  4. Edit the saml.config file as follows

SingleSignOnServiceUrl: https://<UPSSO_SERVER_HOST>/upsso/upsso-service

Certificate: <IDP_CERTIFICATE_TEXT_VALUE_IN_SINGLE_LINE>

PartnerIdentityProvider Name: https://<UPSSO_SERVER_HOST>/upsso/get-idp-metadata

ServiceProvider Name: PasswordVault

5. Save the file.

6. Open the web.config file,

7. Make sure the following element is available under “<appSettings>” element,

<add key="UseNewSAMLSolution" value="Yes" />

8. Save the file.

Restart the IIS Server which is hosting CyberArk PVWA Web Portal.

Note: If PVWA is installed under load balancer setup then the above configurations should be done in all the PWVA nodes.