Integrating CyberArk PVWA 14.4 with Okta SAML for
Secure Single Sign-On and MFA
Integrating CyberArk Password Vault Web Access (PVWA) 14.4
with Okta SAML 2.0 enables secure and seamless Single Sign-On (SSO) for
privileged users. This guide provides a step-by-step walkthrough to configure
CyberArk as a SAML Service Provider and Okta as the Identity Provider (IdP),
ensuring efficient and secure authentication.
Overview
Using SAML integration with Okta allows organizations to
centralize identity management, enhance authentication security, and streamline
user access to CyberArk. The integration also supports federated user
provisioning and group-based access control.
Phase 1: Prerequisites
Ensure the following requirements are met before beginning
the integration:
- CyberArk
PVWA version 14.4 or later is installed and operational.
- Okta
administrator access is available.
- A
test user exists in both CyberArk and Okta.
- HTTPS
is enabled for PVWA, as SAML requires secure communication.
Phase 2: Configure CyberArk PVWA for SAML
Step A: Enable SAML in PVWA Configuration
- Log
in to CyberArk PVWA as an administrator.
- Navigate
to Administration > Configuration Options > Options.
- Under Authentication
Methods, expand saml:
- Set Enabled to Yes.
- Optionally,
configure the LogoffUrl with your Okta logout URL if
Single Logout (SLO) is required.
- Add
your Okta domain (e.g., *.okta.com) to the AllowedReferrer list
under Access Restriction.
- Click Apply to
save the changes.
Step B: Configure the saml.config File
The saml.config file is located at:
<installation
path>\inetpub\wwwroot\PasswordVault\WebUI\Configs\saml.config
Update the following parameters:
- ServiceProvider:
Define the Name with the CyberArk PVWA URL.
- PartnerIdentityProvider:
Set the Okta SAML metadata URL, SingleSignOnService endpoint, and
EntityID.
- Configure
certificates if required for signed requests or encrypted assertions.
- Ensure
consistency between the ServiceProvider name and the values configured in
Okta.
Phase 3: Configure Okta as the Identity Provider
Step A: Create a New SAML 2.0 Application
- Log
in to the Okta Admin Console.
- Navigate
to Applications > Applications, then click Create
App Integration.
- Choose SAML
2.0 and click Next.
- Provide
the following details:
- App
name: CyberArk PVWA
- Optionally,
upload the CyberArk logo.
Step B: Configure SAML Settings
Fill in the required fields:
- Single
Sign-On URL: Use the Assertion Consumer Service (ACS) URL from the
CyberArk saml.config.
- Audience
URI (SP Entity ID): This should match the
ServiceProvider Name in the CyberArk configuration.
Step C: Define Attribute Statements
Map Okta user attributes to CyberArk:
Step D: Configure
Group Attribute Statement (Optional)
You may define a group
filter to manage access control based on Okta groups. For example:
- Name: memberOf
- Filter: Starts
with "CyberArk-"
Step E: Assign the Application
Assign the newly created SAML application to the users or
groups who require access to CyberArk.
Phase 4: Allow Okta API Calls in PVWA
- In
PVWA, navigate to Administration > Configuration Options >
Security Settings.
- Under API
Security > Allowed Domain, add your Okta domain
(e.g., https://yourtenant.okta.com).
- Click Add,
then Save.
Phase 5: Test the Integration
Method A: IdP-Initiated SSO
- From
the Okta dashboard, click on the CyberArk PVWA application tile.
- You
should be redirected and logged into CyberArk PVWA without entering
credentials.
Method B: SP-Initiated SSO
- Open
the CyberArk PVWA URL directly (e.g., https://pvwa.company.com).
- Choose
the Okta authentication method from the login options.
- Authenticate
using Okta credentials.
Upon successful authentication, the user should be
redirected to the PVWA interface. If user attributes are mapped correctly,
federated users may be automatically provisioned in CyberArk.
Important Considerations
- Versions
of PVWA earlier than 11.3 use the web.config file for SAML
configuration. From version 11.3 onward, saml.config is used.
- In
PVWA 14.4 and later, users must have allowed authentication methods
explicitly defined.
- During
initial configuration, enable SAML debug logging to assist in
troubleshooting authentication errors.
- Validate
that the system clock is synchronized between PVWA and Okta, as time
mismatches can lead to SAML assertion errors.
Reference Screenshots step by Step
Onboard the CyberArk Application into
OKTA
Enter the SAML SSO URL
https://cyberarkpam.corp.com/PasswordVault/api/auth/saml/logon
Audience url : PasswordVault

1.2. Map the Respective PAM User Group to CyberArk Applications
SAML Configurations on PVWA Server (saml.config file)
--
<?xml version="1.0"?>
<SAMLConfiguration
xmlns="urn:componentspace:SAML:2.0:configuration">
<ServiceProvider Name="[Enter Provider Name i.e.
PasswordVault]" Description="PasswordVault Service Provider"
AssertionConsumerServiceUrl="~/api/auth/saml/logon"/>
<LocalCertificates>
<Certificate
FileName="C:\Stage\certs\pvwa.pfx"
Password="Password@1234"/>
</LocalCertificates>
<PartnerIdentityProviders>
<PartnerIdentityProvider Name="[Enter Entity
ID]" SingleSignOnServiceUrl="[Enter SSO Login URL]"
SignAuthnRequest="false">
<PartnerCertificates>
<Certificate String="[Copy & paste
the OKTA Cert code]" />
</PartnerCertificates>
</PartnerIdentityProvider>
</PartnerIdentityProviders>
</SAMLConfiguration>
--

SAML Authentication Enable on the PVWA Portal.

Access Retractions allow (Whitelist) [ Load Balancers, pvwa component
url's and SSO OKTA URL]
Testing
https://cyberarkpam.corp.com/PasswordVault/v10/logon/saml

References
Happy Learning!!
---------------------------------------------------------------------------------------------------------------