Connect CyberArk

Learn how to configure a connection to CyberArk via SAML


Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a CyberArk SAML Connection, you'll need the Identity Provider metadata that is available from your CyberArk instance.

WorkOS Provides

The first thing you'll need to do is create a new CyberArk SAML connection in your WorkOS Dashboard. Start by logging in to your WorkOS dashboard and browse to the "Organizations" tab on the left hand navigation bar.

Select the organization you'd like to configure a CyberArk SAML Connection for, and add a Connection under "Single Sign-On Connections".

You'll want to select "CyberArk SAML" as the Identity Provider and give the Connection a descriptive name. Once this is filled out, click "Create Connection".

WorkOS provides the ACS URL. It's readily available in your Connection's Settings in the WorkOS Dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to. In CyberArk's case, it needs to be set by the Enterprise when configuring your application in their CyberArk instance.

Specifically, the ACS URL will need to be set as the "SP Entity Id / Issuer / Audience" and "Assertion Consumer Service (ACS) URL" in the "Service Provider Configuration" section of the "Trust" tab in the SAML App:


Next, provide the Identity Provider metadata.

Normally, this information will come from your Enterprise customer's IT Management team when they set up your application's SAML configuration in their CyberArk Identity Admin Portal. If that's not the case during your setup, the following steps describe how to get the necessary information.


Log in

Log in to the CyberArk Identity Admin Portal and select "Web Apps" from the left-side navigation.


Select or create your application

If your application is already created, select it from the list of applications and move to Step 4.

If you haven't created a SAML application in CyberArk, select "Add Web Apps".

Select the "Custom" tab and then click to add "SAML".

Select "Yes" to begin setting up the SAML App.


Initial SAML Application Setup

Enter a descriptive App Name and Description, then click "Save".

Next, navigate to the "Trust" tab and enter the ACS url from the Connection Settings in your WorkOS Dashboard to the "SP Entity ID" and ACS URL fields as described in the "WorkOS Provides" section of this guide.

IMPORTANT: Be sure to check "Both" under "Sign Response or Assertion?"


Configure Attribute Mapping

Select the "SAML Response" tab and use the "Add" button to add the following key-value pairs. Then, click "Save".

  • id -> LoginUser.Uuid
  • email -> LoginUser.Email
  • firstName -> LoginUser.FirstName
  • lastName -> LoginUser.LastName

Add Users to SAML Application

To give users permission to authenticate via this SAML app, you will need to assign individual users and/or groups of users to the CyberArk SAML app.

Click on the "Permissions" tab, and select "Add"

Search for the individual user(s) and/or group(s) that you would like to assign to the app, and check the box next to them. Click "Add" when you are finished. Once users have been successfully added, you should also notice the "Status" of your CyberArk SAML app change to "Deployed".


Copy Metadata

On the "Trust" tab of the SAML App, go to the "Service Provider Configuration Section" and select "Metadata". Then click on "Copy URL" button to copy the Metadata URL. This URL will get entered in the WorkOS Dashboard in the next step.


Provide Metadata

Finally, input the Metadata URL in your WorkOS Connection Settings. Your Connection will then be verified and good to go!