WorkOS Docs Homepage
Integrations

CyberArk SCIM

Learn about syncing your user list with CyberArk SCIM.

This guide outlines how to synchronize your application’s CyberArk directories using SCIM.

To synchronize an organization’s users and groups provisioned for your application, you’ll need to provide the organization with two pieces of information:

  • An Endpoint that CyberArk will make requests to.
  • A Bearer Token for CyberArk to authenticate its endpoint requests.

After completing step 1 below, both of these are available in your Endpoint’s Settings in the WorkOS Dashboard.

The rest of the steps below will need to be carried out by the organization when configuring your application in their CyberArk instance.

In your WorkOS Dashboard, select or create an Organization. Then select “Manually Configure Directory”.

A screenshot showing where to select "Manually Configure Directory" in the WorkOS dashboard.

Select “CyberArk” as the Directory Provider and add a descriptive name for the directory sync connection.

A screenshot showing the proper configuration of the "Create Directory" modal in the WorkOS dashboard.

On the Directory Sync connection settings page, save the Endpoint and the Bearer Token. You’ll input these in the CyberArk settings.

A screenshot showing the Endpoint and Bearer Token in the WorkOS dashboard.

We have support for whitelabeled URLs for Directory Sync endpoints. Contact us for more info!

CyberArk supports SCIM provisioning in the context of a SAML app. The usual set up is to enable SAML first, following our docs here.

Log in to the CyberArk Admin Portal, and navigate to your SAML app. Open the “Provisioning” tab, and select the box to “Enable provisioning for this application”.

A screenshot showing where to enable the "Enable provisioning for this application" setting in the CyberArk dashboard.

Click “Yes” in the confirmation modal.

A screenshot showing where to select "Yes" in the confirmation modal in the CyberArk dashboard.

Enter the Endpoint from the WorkOS Dashboard into the “SCIM Service URL” field, and enter the Bearer Token from the WorkOS Dashboard into the corresponding field in the Provisioning tab. Select “Verify” to save these credentials.

A screenshot showing where to input the WorkOS Endpoint as the "SCIM Service URL" and the Bearer Token in the CyberArk dashboard.

Once the credentials have been verified, more options will be appear below. Deselect “Do not de-provision (deactivate or delete) users in target application” as seen below.

A screenshot showing which checkboxes to disable in the CyberArk dashboard.

Users assigned to the SAML app will be synced, and roles mapped will be synced as groups. The roles are mapped on the Provisioning settings page, by selecting the “Add” button.

A screenshot showing where to select “Add” in the CyberArk dashboard.

In the role mapping modal, select the role you’d like to map, and then create a destination group. The name will be what you see as the group name in directory sync. All users assigned to that role will be members of the mapped group. Select “Done”.

A screenshot showing how to configure the "Role" and "Destination Group" settings in the "Role Mapping" modal of the CyberArk dashboard.

After the role mapping is completed, click “Save”. The SCIM configuration part of the setup is complete.

In CyberArk, navigate to the Settings → Users → Outbound Provisioning page. Under Synchronizations, start the sync. You can also set up scheduled syncs here.

A screenshot showing where to select "Start Sync" in the "Outbound Provisioning" settings in the CyberArk dashboard.

In the CyberArk SCIM directory in the WorkOS dashboard, select the “Users” tab and you will now see the users and groups synced over.

A screenshot showing the populated "Users" tab in the CyberArk SCIM directory in the WorkOS dashboard.

A detailed guide to integrate the WorkOS API with your application can be found here

When a group is removed, I don’t see a dsync.group.deleted or dsync.group.user_removed events – is this expected?

Instead of individually assigning users to a SCIM application, CyberArk SCIM requires that users are assigned to the application through group membership.

It is a known issue with CyberArk SCIM that when a group is removed from the app, no indication is received that the group has changed.

The users of the group must be cleaned up before the group itself is removed from the SCIM application.