Integrating Trusona and CyberArk

This guide details the steps required to configure Trusona as a passwordless authentication solution for CyberArk Privileged Access Security (PAS.)

1. Getting started

1.1. Prerequisites

  • CyberArk PAS v11.3 and above

1.2. Step 1: Email Trusona

Send an email to support@trusona.com with the following information:

Subject: CyberArk Integration

  • Required:
    • Company name
    • Email domain(s) associated with your CyberArk users. (e.g. yourcompany.com)
    • Consumer Assertion Service URL
      • For SSL v9 - https://<PVWA DNS or IP>/PasswordVault/auth/saml
      • For SSLv10 - https://<PVWA DNS or IP>/PasswordVault/api/auth/saml/logon

1.2.1. Sent by Trusona

Trusona will send you the following via email:

  • Certificate
  • Base URL
  • Entity ID
  • SSO URL

2. Configuration

2.1. Step 2: Configuring PAS

To configure SAML support in PAS, you first need to configure Password Vault Web Access (PVWA) and the Password Vault

  1. Login to PVWA as an Admin
  2. Navigate to Administration > Configuration Options > Options
  3. In the Options pane, expand “Authentication Methods” and choose “SAML”
  4. In the Properties pane, configure the following:
    1. Set “Enabled” to “Yes”
    2. Set “LogoffUrl” to:
      • The logoff URL of your IDP, if it has one
      • Leave the field blank if your IDP does not have a logoff URL. Users will remain authenticated to the PVWA if they are authenticated to the IDP
    3. Set “DisplayName” to “Trusona”
  5. In the Options pane, right-click “Access Restriction” and choose “Add AllowedReferrer”
  6. In the Properties pane, enter the “BaseURL” value provided by Trusona
  7. Click “Apply” to save the new configuration

2.2. Step 3: Configuring SAML in Password Vault

The follow steps are adapted from the official CyberArk SAML Authentication documentation.

  1. Navigate to the PasswordVault installation folder
  2. Copy the saml.config.template file and make a new filed named saml.config.
  3. Edit the file configuring the following values:
Parameter Value Description
SingleSignOnServiceUrl The “SSO URL” provided by Trusona Login URL of the Trusona IDP.
Certificate The “Certificate” provided by Trusona Used by PVWA to verify responses from the Trusona IDP.
PartnerIdentityProvider Name The “Entity ID” value provided by Trusona Identifies the IDP to PVWA.
ServiceProvider Name The “Entity ID” value provided by Trusona Allows PVWA to identify itself to the Trusona IDP. Must match the Audience defined in the IDP.

2.3. Step 4: Testing the integration

  1. Open a private browsing window
  2. Navigate to the PVWA login page
  3. Select “Change authentication method”
  4. Choose “Trusona”
  5. Complete the login process with the Trusona App

Integrations

Desktop
IAM and SSO
PAM
Productivity
RADIUS
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other