The following instructions were taken from the CyberArk's Privileged Account Security (PAS) solution document "Privileged Account Security Implementation Guide".
Configuring Access through the PVWA
Log onto the PVWA as the predefined Administrator user.
Click ADMINISTRATION to display the System Configuration page
The main system configuration editor appears.
Expand Authentication Methods; a list of the supported configuration methods is displayed.
Specify the following Authentication Methods properties
Select SAML and make sure the Enabled property is set to Yes.
In LogoffUrl, specify the logoff page of your IdP. If your IdP doesn’t have a logoff URL, clear the value of this property.
Click Apply to save the new configurations and stay in the Options page, or, Click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.
Configuring PVWA SAML Authentication
In the PVWA:
- In the Options page, right-click Access Restriction, then select Add AllowedReferrer; a new parameter node is added to enable you to configure an Allowed Referrer.
- In the Allowed Referrer property list, in BaseURL, specify the URL of your IdP.
- Click Apply to save the new configurations.
Configuring Web.config SAML Authentication
In the PasswordVault web.config file
- In the PasswordVault installation folder, open the web.config file. Default Location: C:\inetpub\wwwroot\PasswordVault\
- In the appSettings tag, add the following mandatory parameters:
- IdentityProviderLoginURL – The login URL of your IdP.
- IdentityProviderCertificate – The base 64 text representation of the certificate that is configured for your IdP as the SAML response signing certificate. This is used by the PVWA to verify the authenticity of the responses.
- Issuer – The Issuer string that enables the PVWA to identify itself to the IdP. This value must correlate to the value used by the IdP to identify PVWA as a relying party. The default value for this parameter is PasswordVault. Note: This is also known as the EntityID.
<appSettings> [... Rest of the appSettings ...] <add key="IdentityProviderLoginURL" value="https://[... SP initiated login URL ...]/gridguard/saml/idp"/> <add key="Issuer" value="PasswordVault"/> <add key="IdentityProviderCertificate" value="[... The stripped down Certificate ...]"/> </appSettings>