WorkOS Docs Homepage
Integrations
DashboardSign In

CyberArk SAML

Learn how to configure a connection to CyberArk via SAML.

Each SSO Identity Provider requires specific information to create and configure a new Connection. Often, the information required to create a Connection will differ by Identity Provider.

To create a CyberArk SAML Connection, you’ll need the Identity Provider metadata that is available from your CyberArk instance.

The first thing you’ll need to do is create a new CyberArk SAML connection in your WorkOS dashboard. Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.

Select the organization you’d like to configure a CyberArk SAML Connection for, and then click “Manually Configure Connection”.

A screenshot showing where to select "Manually Configure Connection" in the WorkOS dashboard.

Select “CyberArk SAML” as the Identity Provider, give the Connection a descriptive name, and click “Create Connection”.

A screenshot showing the "Create Connection" modal in the WorkOS dashboard.

WorkOS provides the ACS URL. It’s readily available in your Connection Settings in the WorkOS dashboard.

A screenshot showing where to locate the "ACS URL" in the WorkOS dashboard.

The ACS URL is the location an Identity Provider redirects its authentication response to. In CyberArk’s case, it needs to be set by the organization when configuring your application in their CyberArk instance.

Specifically, the ACS URL will need to be set as the “SP Entity Id / Issuer / Audience” and “Assertion Consumer Service (ACS) URL” in the “Service Provider Configuration” section of the “Trust” tab in the SAML App.

A screenshot showing where to input the WorkOS ACS URL in the “SP Entity ID” and "ACS URL" fields in the CyberArk dashboard.

Next, provide the Identity Provider metadata.

Normally, this information will come from the organization's IT Management team when they set up your application’s SAML configuration in their CyberArk Identity Admin Portal. If that’s not the case during your setup, the following steps describe how to get the necessary information.

Log in to the CyberArk Identity Admin Portal and select “Web Apps” from the left-side navigation.

A screenshot showing where to select 'Web Apps" in the CyberArk dashboard.

If your application is already created, select it from the list of applications and move to Step 4. If you haven’t created a SAML application in CyberArk, select “Add Web Apps”.

A screenshot showing where to select "Add Web Apps" in the CyberArk dashboard.

Select the “Custom” tab and then click to add “SAML”.

A screenshot showing how to select the "SAML" web application type in the CyberArk dashboard.

Select “Yes” to begin setting up the SAML App.

A screenshot indicating to select "Yes" in the confirmation to add the new application in the CyberArk dashboard.

Enter a descriptive App Name and Description, then click “Save”.

A screenshot showing how to populate the "Name" and "Description" fields in the CyberArk dashboard.

Next, navigate to the “Trust” tab and enter the ACS URL from the Connection Settings into “SP Entity Id / Issuer / Audience” and “Assertion Consumer Service (ACS) URL” in the “Service Provider Configuration” section of the “Trust” tab in the SAML App.

IMPORTANT: Be sure to check “Both” under “Sign Response or Assertion?”.

A screenshot showing where to input the WorkOS ACS URL in the “SP Entity ID” and "ACS URL" fields in the CyberArk dashboard.

Select the “SAML Response” tab and use the “Add” button to add the following key-value pairs. Then, click “Save”.

  • idLoginUser.Uuid
  • emailLoginUser.Email
  • firstNameLoginUser.FirstName
  • lastNameLoginUser.LastName
A screenshot showing the "SAML Response" tab successfully configured in the CyberArk dashboard.

Users can automatically be assigned roles within your application by sending their group memberships. To enable this, set up a group attribute statement following the guidance below.

This feature is currently in beta, contact customer support for more information.

Add a new attribute in the "SAML Response" tab. In the "Attribute Name" column, input groups, and map it to the "Attribute Value" for a user’s group membership, such as LoginUser.GroupNames, as shown in the example below.

A screenshot showing the groups attribute successfully configured in CyberArk.

To give users permission to authenticate via this SAML app, you will need to assign individual users and/or groups of users to the CyberArk SAML app.

Click on the “Permissions” tab, and select “Add”.

A screenshot showing where to select "Add" in the "Permissions" tab of the application in the CyberArk dashboard.

Search for the individual user(s) and/or group(s) that you would like to assign to the app, and check the box next to them. Click “Add” when you are finished. Once users have been successfully added, you should also notice the “Status” of your CyberArk SAML app change to “Deployed”.

A screenshot showing the selection of a user to add to the SAML application in the Cyberark dashboard.

On the “Trust” tab of the SAML App, go to the “Service Provider Configuration Section” and select “Metadata”. Then click on “Copy URL” button to copy the Metadata URL. This URL will get entered in the WorkOS dashboard in the next step.

A screenshot showing where to obtain the "Metadata URL" in the CyberArk dashboard.

Finally, select "Edit Metadata Configuration" and input the Metadata URL in your WorkOS Connection Settings. Your Connection will then be verified and good to go!

A screenshot showing where to select "Edit Metadata Configuration" in the "Identity Provider Configuration" in the WorkOS dashboard.