WorkOS Docs Homepage
Integrations

CyberArk SCIM

Learn about syncing your user list with CyberArk SCIM.

This guide outlines how to synchronize your application’s CyberArk directories using SCIM.

To synchronize an organization’s users and groups provisioned for your application, you’ll need to provide the organization with two pieces of information:

  • An Endpoint that CyberArk will make requests to.
  • A Bearer Token for CyberArk to authenticate its endpoint requests.

After completing step 1 below, both of these are available in your Endpoint’s Settings in the WorkOS Dashboard.

The rest of the steps below will need to be carried out by the organization when configuring your application in their CyberArk instance.

In your WorkOS Dashboard, select or create an Organization. Then select “Manually Configure Directory”.

A screenshot showing where to select "Manually Configure Directory" in the WorkOS dashboard.

Select “CyberArk” as the Directory Provider and add a descriptive name for the directory sync connection.

A screenshot showing the proper configuration of the "Create Directory" modal in the WorkOS dashboard.

On the Directory Sync connection settings page, save the Endpoint and the Bearer Token. You’ll input these in the CyberArk settings.

A screenshot showing the Endpoint and Bearer Token in the WorkOS dashboard.

We have support for whitelabeled URLs for Directory Sync endpoints. Contact us for more info!

CyberArk supports SCIM provisioning in the context of a SAML app. The usual set up is to enable SAML first, following our docs here.

Log in to the CyberArk Admin Portal, and navigate to your SAML app. Open the “Provisioning” tab, and select the box to “Enable provisioning for this application”.

A screenshot showing where to enable the "Enable provisioning for this application" setting in the CyberArk dashboard.

Click “Yes” in the confirmation modal.

A screenshot showing where to select "Yes" in the confirmation modal in the CyberArk dashboard.

Enter the Endpoint from the WorkOS Dashboard into the "SCIM Service URL" field, and enter the Bearer Token from the WorkOS Dashboard into the corresponding field in the Provisioning tab. Select “Verify” to save these credentials.

A screenshot showing where to input the WorkOS Endpoint as the "SCIM Service URL" and the Bearer Token in the CyberArk dashboard.

Users assigned to the SAML app will be synced, and roles mapped will be synced as groups. The roles are mapped on the Provisioning settings page, by selecting the “Add” button.

A screenshot showing where to select “Add” in the CyberArk dashboard.

In the role mapping modal, select the role you’d like to map, and then create a destination group. The name will be what you see as the group name in directory sync. All users assigned to that role will be members of the mapped group. Select “Done”.

A screenshot showing how to configure the "Role" and "Destination Group" settings in the "Role Mapping" modal of the CyberArk dashboard.

After the role mapping is completed, click “Save”. The SCIM configuration part of the setup is complete.

In CyberArk, navigate to the Settings → Users → Outbound Provisioning page. Under Synchronizations, start the sync. You can also set up scheduled syncs here.

A screenshot showing where to select "Start Sync" in the "Outbound Provisioning" settings in the CyberArk dashboard.

In the CyberArk SCIM directory in the WorkOS dashboard, select the "Users" tab and you will now see the users and groups synced over.

A screenshot showing the populated "Users" tab in the CyberArk SCIM directory in the WorkOS dashboard.