< All Topics
You are here:
Print

CyberArk Privileged Access Manager

BlokSec provides decentralized passwordless authentication to CyberArk Privileged Access Manager solution using the Security Assertion Markup Language (SAML) 2.0 authentication standard. BlokSec acts as an identity provider (IdP), authenticating users using strong cryptographic based digital signature that is immutable and tamper-proof.

BlokSec Admin UI

  1. Sign into BlokSec admin UI as a user with admin privileges for your tenant
  2. On the main dashboard, click the Add Application drop-down and select Create From Template
  3. Select the CyberArk template
  4. Complete the SAML configuration with the following values (adjusting if required to meet your desired behaviour):
    • Name: Change the name if required to meet your organizational requirements
    • Assertion Consumer Service: https://[resource_name]/PasswordVault/api/auth/saml/logon
    • Name ID Format: EmailAddress (change value from drop down if not email address)
  5. Select Submit to save the configuration
  6. For the metadata select Download

CyberArk Configuration

PVWA Settings

  1. Sign into CyberArk PVWA as a user with admin privileges
  2. Navigate to Administration > Configuration Options
  3. On the System Configuration page select Options
    • Navigate to Access Restriction and right click to select Add AllowedReferrer
      • Properties
        • BaseUrl: https://api.bloksec.io
        • Select Apply and then select Ok
    • Navigate to Authentication Methods > saml
      • Properties
        • DisplayName: BlokSec Passwordless (or the name of your choice)
        • Enabled: Yes
        • Select Apply and then select Ok

SAML Configuration File

  1. From the PasswordVault installation folder, the default location is \Inetpub\wwwroot\PasswordVault, make a copy of the saml.config.template file, and rename the copy to saml.config
  2. Complete the SAML configuration with the following values (adjusting if required to meet your desired behaviour):
    • ServiceProvider Name: https://bloksec.io
    • PartnerIdentityProvider: https://boksec.io
    • SingleSignOnServiceURL: Enter the value associated to SingleSignOnService Binding tag from the metadata XML. For example,  https://api.bloksec.io/sso/SingleSignOnService/605x91de599549f0d870
    • Certificate String: Enter the value associated to ds:X509Certificate tag from the metadata XML
  3. Save the saml.config file

Optional – Enforce Passwordless Authentication

By default, CyberArk Privileged Access Management solutionallows users to sign in either with their username and password or an alternative logon option. This behaviour can be changed to mandate passwordless only logging to PVWA. Follow the steps below to enforce passwordless authentication:

  1. Sign into CyberArk PVWA as a user with admin privileges
  2. Navigate to Administration > Configuration Options
  3. On the System Configuration page select Options
  4. Navigate to Authentication Methods and select an authentication method that is not saml, for example, windows
  5. Set the value of Properties as below:
    • Enabled: No
  6. Repeat steps #4 and #5 to disable other authentication options
Next Dropbox
Table of Contents