WorkOS Docs Homepage

CyberArk SAML

Learn how to configure a connection to CyberArk via SAML.

Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a CyberArk SAML Connection, you’ll need the Identity Provider metadata that is available from your CyberArk instance.

The first thing you’ll need to do is create a new CyberArk SAML connection in your WorkOS Dashboard. Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.

Select the organization you’d like to configure a CyberArk SAML Connection for, and then click “Manually Configure Connection”.

You’ll want to select “CyberArk SAML” as the Identity Provider and give the Connection a descriptive name. Once this is filled out, click “Create Connection”.

WorkOS provides the ACS URL. It’s readily available in your Connection Settings in the WorkOS Dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to. In CyberArk’s case, it needs to be set by the Enterprise when configuring your application in their CyberArk instance.

Specifically, the ACS URL will need to be set as the “SP Entity Id / Issuer / Audience” and “Assertion Consumer Service (ACS) URL” in the “Service Provider Configuration” section of the “Trust” tab in the SAML App.

Next, provide the Identity Provider metadata.

Normally, this information will come from your Enterprise customer’s IT Management team when they set up your application’s SAML configuration in their CyberArk Identity Admin Portal. If that’s not the case during your setup, the following steps describe how to get the necessary information.

Log in to the CyberArk Identity Admin Portal and select “Web Apps” from the left-side navigation.

If your application is already created, select it from the list of applications and move to Step 4. If you haven’t created a SAML application in CyberArk, select “Add Web Apps”.

Select the “Custom” tab and then click to add “SAML”.

Select “Yes” to begin setting up the SAML App.

Enter a descriptive App Name and Description, then click “Save”.

Next, navigate to the “Trust” tab and enter the ACS url from the Connection Settings in your WorkOS Dashboard to the “SP Entity ID” and ACS URL fields as described in the “WorkOS Provides” section of this guide.

IMPORTANT: Be sure to check “Both” under “Sign Response or Assertion?”.

Select the “SAML Response” tab and use the “Add” button to add the following key-value pairs. Then, click “Save”.

  • id → LoginUser.Uuid
  • email → LoginUser.Email
  • firstName → LoginUser.FirstName
  • lastName → LoginUser.LastName

To give users permission to authenticate via this SAML app, you will need to assign individual users and/or groups of users to the CyberArk SAML app.

Click on the “Permissions” tab, and select “Add”.

Search for the individual user(s) and/or group(s) that you would like to assign to the app, and check the box next to them. Click “Add” when you are finished. Once users have been successfully added, you should also notice the “Status” of your CyberArk SAML app change to “Deployed”.

On the “Trust” tab of the SAML App, go to the “Service Provider Configuration Section” and select “Metadata”. Then click on “Copy URL” button to copy the Metadata URL. This URL will get entered in the WorkOS Dashboard in the next step.

Finally, input the Metadata URL in your WorkOS Connection Settings. Your Connection will then be verified and good to go!