Table of Contents

Other Resources

You can add a SQL Server data store to assert or manage user identity information.


  • SecureAuth IdP version 9.3 and later
  • SQL Server data store


There are two parts to adding a data store in SecureAuth IdP — (1) adding the data store and (2) mapping the data store properties. 

Step 1 of 2: Add a SQL Server data store

The first part of adding a SQL Server data store is configuring the data store name, connections, credentials, and search attributes. 

  1. On the left side of SecureAuth IdP page using the New Experience Web Admin, select User Data Stores.
  2. Click Add a Data Store
  3. Set the Data Store Name
  4. Select the Connection Type as SQL Server.
  5. For the Use this database for user membership validation slider, use one of the following options: 


    Enable membership validation; use the database to search for the user's membership in a user group.

    This means the database is a Membership Store, containing the password to validate with the username.


    Disable membership validation; use the database to search  only for the user profile information.  

    This means the database is only used to find the username and profile information (such as phone number, email address, device recognition profiles, OATH tokens, and so on).

    After the data store is saved, this field is the Membership Store label shown on the View Summary.
    A common use case for a Membership Store would be to have a database with username and password information (and maybe some profile information), and then have a second database used to store and access data that SecureAuth IdP writes to the database (such as device recognition, device enrollment, push notification tokens, and so on).

  6. In the Connection String section, set the connection string to the SQL Server.  

    For information about content in the corporate connection string, see the external article All SQL Server SqlConnection Properties.

    Connection String

    The value in this field is the connection string auto-populated by the Data Source and Initial Catalog fields (unless a custom connection string is manually entered).

    advanced modeTo manually enter the connection string, click the advanced mode link. 
    Data Source

    Name or network address of the SQL Server instance to which to connect. 

    For example,\sqlserver

    Initial Catalog

    The initial catalog name (or database name). 

    For example, secureauthconsult

    Enable Integrated SecurityMove the slider to indicate whether to enable integrated security for a secure connection. 
    Persist Security InfoMove the slider to indicate whether to persist security information such as the password in the connection string. 

  7. In the Credentials section, provide the log in credentials to access the SQL data store. 

    Enter Service Account Credentials

    With this option, enter the following fields:

    • User ID – SQL user ID email address  for the service account login  
    • Password – Password for the service account login

    Use CyberArk Vault for Credentials

    With this option, enter at least one field for the service account login: 

    • Username – User name of machine to be scanned by CyberArk Application Identity Manger (AIM). This information appears on the Account Details page of the CyberArk Password Vault Web Access (PVWA) Admin Console.
    • Address – Address of machine to be scanned by AIM.
    • Safe – Name of Access Control Safe where credentials are stored.
    • Folder – Name of folder where account resides (by default, it its the root folder).
    • Object – Unique identifier Object name for the account.

  8. In the Advanced Settings section, define how the service account password is to be stored in the directory. 

    Password Format

    Choose one of the following formats:

    • Clear – Password is stored as plain text. This improves performance of storage and retrieval but is less secure.
    • Encrypted – Password is stored as encrypted and can be decrypted for password comparison or retrieval. This is more secure, but requires additional processing or storage.
    • Hashed – Password is hashed using a one-way hash algorithm and random salt-value. When password is validated, it is hashed with the salt value of the dates for verification. Hashed passwords cannot be retrieved.

  9. In the Stored Procedure Configuration section, use the default values unless custom stored procedures are used for membership and profile data access.
    SecureAuth IdP is preconfigured to use the stored procedure values outlined in in SQL user data store tables and stored procedures configuration

    Get User

    Checks if a username exists, and returns the same username in the case that it does. 

    Create UserInserts the username and password into the user table, and returns a MembershipCreateStatus enumeration. 

    Get/Validate PasswordGets the password, password salt, and password format.

    Reset Password

    Resets the password for the given user.

    Get User ProfileRetrieves the profile of the given username (See Configuration Guide if using JSON).

    Update User ProfileUpdates user profile with the given profile information (See Configuration Guide if using JSON).

  10. Click Continue.
    The Map Data Store Properties page opens. 

Step 2 of 2: Map the SQL Server data store properties 

The second part of adding a SQL Server data store is mapping the data store properties. 

Each user is uniquely identified by profile data that is read from or stored in your directories and databases.

SecureAuth IdP does not store user profiles, so your SQL Server directory attributes must be mapped to Identity Platform profile properties to be read and updated in the directory by SecureAuth IdP. The directory attribute mapped to the property is retrieved only when required for authentication or assertion purposes. 

  1. Where applicable, specify the Data Format to define how data is encrypted and stored in the directory. The selection options are: 

    • Plain Text – store data as regular, readable text (default)
    • Standard Encryption – store and encrypt data using RSA encryption
    • Advanced Encryption – store and encrypt data using AES encryption
    • Standard Hash – store and encrypt data using SHA-256 hash
    • Plain Binary  – store data in a binary format (uses a .NET library to make it binary – may not be readable by all applications)
    • JSON – store data in a universal format, readable by all applications (similar to Plain Text)
    • Encrypted JSON – store data in JSON format, with values encrypted using AES encryption
  2. Click Save Data Store
    The SQL Server data store you just added appears in the User Data Stores list. 

Related information

View and edit data store integration