Integrating Trusona and CyberArk

This guide details the steps required to configure Trusona as a passwordless authentication solution for CyberArk Privileged Access Security (PAS.)

1. Getting started

1.1. Prerequisites

  • CyberArk PAS v11.3 and above

2. Log into Trusona

Log into your Trusona account at

Log into the Trusona dashboard
Log into the Trusona dashboard

2.1. Navigate to the generic integration option(s)

Locate the navigation bar on the left side of the main page, and click on the Generic SAML tab

Navigate to the correct tab
Navigate to the correct tab

2.2. Creating a new generic integration

Click on the Create button to begin

Navigate to the correct tab
Navigate to the correct tab

2.3. Customize & Upload Data

Be sure to fill in all the necessary information requested, and upload any files/documents needed. Failure to do so may prevent Trusona from creating the integration successfully

Fill out all the necessary information carefully
Fill out all the necessary information carefully

2.4. Additional actions for integrations

Once you have created your integration, you will be redirected back to the integration dashboard. From there, you should be able to see your new integration listed.

To the right of it, click on the Actions button. You will be presented with a number of different options you can select, depending on your requirements.

Click on the Actions button for further configuration details
Click on the Actions button for further configuration details

3. Password Vault (PVWA)

3.1. Configuring PAS

To configure SAML support in PAS, you first need to configure Password Vault Web Access (PVWA) and the Password Vault

  1. Login to PVWA as an Admin
  2. Navigate to Administration > Configuration Options > Options
  3. In the Options pane, expand “Authentication Methods” and choose “SAML”
  4. In the Properties pane, configure the following:
    1. Set “Enabled” to “Yes”
    2. Set “LogoffUrl” to:
      • The logoff URL of your IDP, if it has one
      • Leave the field blank if your IDP does not have a logoff URL. Users will remain authenticated to the PVWA if they are authenticated to the IDP
    3. Set “DisplayName” to “Trusona”
  5. In the Options pane, right-click “Access Restriction” and choose “Add AllowedReferrer”
  6. In the Properties pane, enter the “BaseURL” value provided by Trusona
  7. Click “Apply” to save the new configuration

3.2. Configuring SAML in Password Vault

The follow steps are adapted from the official CyberArk SAML Authentication documentation.

  1. Navigate to the PasswordVault installation folder
  2. Copy the saml.config.template file and make a new filed named saml.config.
  3. Edit the file configuring the following values:
Parameter Value Description
SingleSignOnServiceUrl The “SSO URL” provided by Trusona Login URL of the Trusona IDP.
Certificate The “Certificate” provided by Trusona Used by PVWA to verify responses from the Trusona IDP.
PartnerIdentityProvider Name The “Entity ID” value provided by Trusona Identifies the IDP to PVWA.
ServiceProvider Name The “Entity ID” value provided by Trusona Allows PVWA to identify itself to the Trusona IDP. Must match the Audience defined in the IDP.

3.3. Testing the integration

  1. Open a private browsing window
  2. Navigate to the PVWA login page
  3. Select “Change authentication method”
  4. Choose “Trusona”
  5. Complete the login process with the Trusona App




Get started guides
Implementation guides
Users guides


Mobile SDKs
Server SDKs
Web SDKs


Authentication Service
ID Proofing Service
Mobile Auth for Browsers Service