Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
borderColor#444443
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#444443
borderStylesolid
titlePrerequisites

1. Ensure these items are installed

  • SecureAuth IdP 9.0.1 + running on Windows Server 2012 R2
  • Identity store(s) – one or more of these data store types: Active Directory, Oracle, SQL Server
  • CyberArk Vault Server v9.x
  • Licensed version of CyberArk AIM v9.5+

2. On SecureAuth IdP

Panel
borderColor#135570
bgColorwhite
titleColorwhite
titleBGColor#135570
titleCyberArk AIM Configuration Steps
UI Text Box
typeinfo

Refer to CyberArk Credential Provider and Application Server Credential Provider Implementation Guide for CyberArk Credential Provider installation instructions

Panel
borderColor#116490
bgColorwhite
titleColorwhite
titleBGColor#116490
titlePassword Vault Web Access Admin Console
Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
titleBGColor#007fb2
titleApplications: Add Application and define Application ID
Column
width50%

Column
width50%


1. Log on the Password Vault Web Access (PVWA) Admin Console with permissions to manage applications – i.e. Manage Users authorization

2. On the Applications page, click Add Application; the Add Application window appears

3. Enter the unique Name of this application – SecureAuth-IdP – to be used as the application identifier (appid)

4. Enter a brief Description to identify this application

5. In the Business owner section, enter contact information about the owner of this application

6. In the bottom section, use the dropdown to specify the Location of this application on the Vault hierarchy

NOTE: If the Location is not selected, the application is added in the same Location as the user creating this application

7. Click Add; the application is added and the Application Details page appears with this information

 

 

Panel
borderColor#009FD9
bgColorwhite
titleColorwhite
titleBGColor#009FD9
titleApplication Details: Define authentication details
Column
width50%

Column
width50%


8. On the Authentication tab, enable Allow extended authentication restrictions to permit an unlimited number of machines and Windows domain OS users on a single application

9. Click Add and select characteristics to define from the dropdown – details about the application must be specified so the Credential Provider can check certain application characteristics before retrieving the application password

UI Text Box
typetip

SecureAuth recommends using the IP address of the SecureAuth IdP appliance on which the AIM Credential Provider is installed to add an extra layer of security

Section
Column
width50%

Column
width50%


10. On the Allowed Machines tab, enter information the Credential Provider will use to ensure that only applications running on specified machines can access passwords

11. Click Add; the Add allowed machine window appears

12. Enter the Address (IP / host name / DNS) of the SecureAuth IdP appliance on which AIM is installed

13. Click Add; the IP address appears on the Allowed Machines tab

 

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
titleBGColor#007fb2
titlePolicies: Provision accounts, set permissions to access the Password Safe
Provision accounts

The application must have access to particular existing accounts – or new accounts to be provisioned in the CyberArk Vault – in order to execute its functionality and tasks

14. Ensure this user account has authorization in the Password Safe to Add accounts

15. In the Password Safe, use one of two methods to provision privileged accounts required by the applications

  • Manually – Add each account individually and specify all account details
  • Automatically – Use the Password Upload feature to add multiple accounts automatically
UI Text Box
typeinfo

Refer to CyberArk Privileged Account Security Implementation Guide for more information about adding and managing privileged accounts 

Set permissions to access the Password Safe

Once privileged accounts are managed by CyberArk Vault, set up access to the Safes for the application and CyberArk Application Password Providers serving the application

16. Add the Credential Provider and application users as members of Password Safes on which the application passwords are stored – this can be done either manually on the Safes tab, or by specifying the Safe names on the .CSV file used for adding multiple applications

 

Panel
borderColor#009FD9
bgColorwhite
titleColorwhite
titleBGColor#009FD9
titleAdd Safe Member: Provider user
Column
width50%

Column
width50%


17. Add the Provider user as a Safe Member with authorization to

  • List accounts
  • Retrieve accounts
  • View Safe Members
UI Text Box
typeinfo

When installing multiple Providers in this integration, SecureAuth recommends creating a group for the Providers and then adding that group to the Safe with authorization to the options listed in step above

Panel
borderColor#009FD9
bgColorwhite
titleColorwhite
titleBGColor#009FD9
titleAdd Safe Member: SecureAuth-IdP
Column
width50%

Column
width50%


18. Add the application (SecureAuth-IdP) as a Safe Member with authorization to Retrieve accounts

19. If the environment is configured for dual control

  • In PIM-PSM environments (v7.2 and lower) – if the Safe is configured to require confirmation from authorized users before passwords can be retrieved, give the Provider user and the application permission to Access Safe without Confirmation
  • In Privileged Account Security solutions (v8.0 and higher) – when working with dual control, the Provider can always access the Safe without confirmation, so the permission to Access Safe without Confirmation does not need to be set

20. If the Safe is configured for object level access, ensure both the Provider user and the application have access to the password(s) to retrieve

UI Text Box
typeinfo

Refer to CyberArk Privileged Account Security Implementation Guide for more information about configuring Safe Members

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleSecureAuth IdP Configuration Settings
Panel
borderColor#116490
bgColorwhite
titleColorwhite
titleBGColor#116490
titleData
Column
width50%

Column
width50%


1. In the Membership Connection Settings section, select the Datastore Type from the dropdown – e.g. Active Directory (sAMAccountName) is selected on the sample screen

2. Configure Datastore Credentials and Connection information based on the data store type

UI Text Box
typeinfo

The section label, fields, and field names differ based on the type of data store selected

3. Enable Use CyberArk Vault for credentials

4. Input the Username and Address of the machine to be scanned by AIM – this information appears on the Account Details page of the CyberArk Password Vault Web Access (PVWA) Admin Console

5. (OPTIONAL) Enter any of the following details to optimize AIM's performance

  • Safe – Name of the Access Control (Safe) where credentials are stored
  • Folder – Name of the folder where the account resides ('root' by default)
  • Object – Unique identifier name for the account
UI Text Box
typewarning

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes