Passwordless logins for your CyberArk PVWA site!

Here’s an overview of how to configure CyberArk’s PVWA with SAASPASS SAML authentication. Securing your company’s administrative consoles such as CyberArk PVWA is crucial. Let’s collectively make it harder for attackers to compromise your systems.

A number of these items are included in the provided CyberArk SAASPASS integration documentation, however I want to expand on that further to assist others in making it easier to follow. Having example config files helps me to compare to make sure I’m putting the things in the right spot. With that said, the SAASPASS CyberArk documentation is top notch.

Don’t test in Production. Use a lab environment and related lab accounts and such to validate these configurations. I’m not responsible for your actions. I’m creating test accounts and such to better illustrate how to configure the pieces required.

Prerequisites —

• CyberArk PVWA installed and configured in your environment
• RDP access to your PVWA server(s)
• Admin access to your Password Vault Web Access (PVWA) site
• Vaulted Account(s) you want to utilize with SAASPASS SAML authentication. This can be your privileged domain user accounts for example.
• PVWA IIS Certificate for server and/or your VIP.
• Internal CyberArk account called admin, with a random password. This is for testing purposes only for this overview. You likely would integration with your own Active Directory and SAASPASS Sync pieces which are out of scope for this demo.
• Free SAASPASS Company account in order to configure SAML with SAASPASS for your PVWA server(s) — https://www.saaspass.com/sd/#/companyRegistration
• Registered device for your test admin account you want to configure for SAML use.

Configure your SAASPASS CyberArk SAML integration—

• Log into SAASPASS with your company admin login (free trial)
• Click on “Add Secure Applications”

• Search for CyberArk, and click Add.

• Under Configuration, set your related PVWA site(s). Update the highlighted CyberArk ACS URL to your own PVWA server name or VIP name. Set the CyberArk Entity ID to PasswordVault.
• Click Save and Run.

• Click the Integration tab where it auto-generates your SAML pieces required. The IdentityProviderLoginURL and IdentityProviderCertificate values will be different than what is shown below as an example.

• Save this information. We’ll get to that in a bit.
• Stay logged into your SAASPASS Admin console for the next step.

Configure your SAASPASS test admin account for SAML integration —

• Under Administration, click User Directories

• Find the related account we’ll configure to utilize SAML authentication. In this case we’re using a test admin account that is registered to my phone. Click on the admin name.

• Click on the Groups & apps tab.

• Click Add Account to Other Groups

• Check the box for CyberArk Enterprise Password Vault app you previously created. Click Add to Groups.

• The group is now added to the test admin account for SAML use.

Configure your PVWA —

• RDP into your PVWA server
• Backup your web.config file under c:\inetpub\wwwroot\PasswordVault .
• Update the web.config file to include the following items under <appSettings>. Save the file. See below for an example.

• Open the saml.config.template file within the same directory.
• Update to with your related ID information like in the example below.

• Save the file as saml.config .
• Open CMD as admin. Run iisreset to recycle IIS.
• Repeat for each PVWA server you have, or copy/paste the files onto any other PVWA servers you have and perform an IIS reset on those too.
• Open your PVWA server site (for example, https://pvwa-cpm.acme.com/PasswordVault/) . Login as an administrator account.
• Click Administration > Options.
• Expand Authentication Methods. Select saml.
• Set Enabled to Yes.
• Set LogoffUrl to https://www.saaspass.com/sd/#/logoutSAML
• Click Apply.

• Right click on Access Restriction. Click Add AllowedReferrer.
• Put the value of the BaseUrl as https://www.saaspass.com

• Click Apply.
• Log out of your PVWA site.

Try SAML Authentication on your PVWA server —

• Open your PVWA server site using saml (for example, https://pvwa-cpm.acme.com/PasswordVault/v10/logon/saml)

• Using your device’s SAASPASS app, scan the QR code.

• You’re now logged into your PVWA site as your test admin account.

Looking for a partner in your Privileged Access Management rollout?

Check out my site here — https://www.keyvaultsolutions.com/pages/contact-us

Recommended items:

• Configure separate SAML integrations for your Production and Non-Production PVWA servers.
• Be sure to create documentation for your newly created integration.
• Back up your SAML.config and web.config configuration files after everything is successful within Github, and/or within a CyberArk Vault safe such as VaultInternal or similar.
• Adjust your configuration as needed if you require signed requests and encrypted assertions.
• Confirm configurations with your SAML / IDP team(s).

Related CyberArk / SAASPASS Documentation —

• https://cyberark.my.site.com/mplace/s/#a3550000000Ej7rAAC-a3950000000jjgPAAQ
• https://docs.cyberark.com/PAS/12.6/en/Content/PAS%20INST/SAML-Authentication.htm
• https://blog.saaspass.com/how-to-add-passwordless-login-to-cyberark-enterprise-password-vault-c5723e119235
• https://www.youtube.com/watch?v=H54xV61oLyo&ab_channel=SAASPASS
• https://saaspass.com/saaspass-white-papers/