CyberArk: CyberArk PVWA integrating with OKTA SAML

 Integrating CyberArk PVWA 14.4 with Okta SAML for Secure Single Sign-On and MFA

Integrating CyberArk Password Vault Web Access (PVWA) 14.4 with Okta SAML 2.0 enables secure and seamless Single Sign-On (SSO) for privileged users. This guide provides a step-by-step walkthrough to configure CyberArk as a SAML Service Provider and Okta as the Identity Provider (IdP), ensuring efficient and secure authentication.

Overview

Using SAML integration with Okta allows organizations to centralize identity management, enhance authentication security, and streamline user access to CyberArk. The integration also supports federated user provisioning and group-based access control.

Phase 1: Prerequisites

Ensure the following requirements are met before beginning the integration:

• CyberArk PVWA version 14.4 or later is installed and operational.
• Okta administrator access is available.
• A test user exists in both CyberArk and Okta.
• HTTPS is enabled for PVWA, as SAML requires secure communication.

Phase 2: Configure CyberArk PVWA for SAML

Step A: Enable SAML in PVWA Configuration

• Log in to CyberArk PVWA as an administrator.
• Navigate to Administration > Configuration Options > Options.
• Under Authentication Methods, expand saml:
• Set Enabled to Yes.
• Optionally, configure the LogoffUrl with your Okta logout URL if Single Logout (SLO) is required.
• Add your Okta domain (e.g., *.okta.com) to the AllowedReferrer list under Access Restriction.
• Click Apply to save the changes.

Step B: Configure the saml.config File

The saml.config file is located at:

<installation path>\inetpub\wwwroot\PasswordVault\WebUI\Configs\saml.config

Update the following parameters:

• ServiceProvider: Define the Name with the CyberArk PVWA URL.
• PartnerIdentityProvider: Set the Okta SAML metadata URL, SingleSignOnService endpoint, and EntityID.
• Configure certificates if required for signed requests or encrypted assertions.
• Ensure consistency between the ServiceProvider name and the values configured in Okta.

Phase 3: Configure Okta as the Identity Provider

Step A: Create a New SAML 2.0 Application

• Log in to the Okta Admin Console.
• Navigate to Applications > Applications, then click Create App Integration.
• Choose SAML 2.0 and click Next.
• Provide the following details:
• App name: CyberArk PVWA
• Optionally, upload the CyberArk logo.

Step B: Configure SAML Settings

Fill in the required fields:

• Single Sign-On URL: Use the Assertion Consumer Service (ACS) URL from the CyberArk saml.config.
• Audience URI (SP Entity ID): This should match the ServiceProvider Name in the CyberArk configuration.

Step C: Define Attribute Statements

Map Okta user attributes to CyberArk:

 

 

 

 

        Step D: Configure Group Attribute Statement (Optional)

        You may define a group filter to manage access control based on Okta groups. For example:

• Name: memberOf
• Filter: Starts with "CyberArk-"

Step E: Assign the Application

Assign the newly created SAML application to the users or groups who require access to CyberArk.

Phase 4: Allow Okta API Calls in PVWA

• In PVWA, navigate to Administration > Configuration Options > Security Settings.
• Under API Security > Allowed Domain, add your Okta domain (e.g., https://yourtenant.okta.com).
• Click Add, then Save.

Phase 5: Test the Integration

Method A: IdP-Initiated SSO

• From the Okta dashboard, click on the CyberArk PVWA application tile.
• You should be redirected and logged into CyberArk PVWA without entering credentials.

Method B: SP-Initiated SSO

• Open the CyberArk PVWA URL directly (e.g., https://pvwa.company.com).
• Choose the Okta authentication method from the login options.
• Authenticate using Okta credentials.

Upon successful authentication, the user should be redirected to the PVWA interface. If user attributes are mapped correctly, federated users may be automatically provisioned in CyberArk.

Important Considerations

• Versions of PVWA earlier than 11.3 use the web.config file for SAML configuration. From version 11.3 onward, saml.config is used.
• In PVWA 14.4 and later, users must have allowed authentication methods explicitly defined.
• During initial configuration, enable SAML debug logging to assist in troubleshooting authentication errors.
• Validate that the system clock is synchronized between PVWA and Okta, as time mismatches can lead to SAML assertion errors.

Reference Screenshots step by Step 

 Onboard the CyberArk Application into OKTA 

Enter the SAML SSO URL 
https://cyberarkpam.corp.com/PasswordVault/api/auth/saml/logon
Audience url : PasswordVault






1.2. Map the Respective PAM User Group to CyberArk Applications



SAML Configurations on PVWA Server  (saml.config file)
--
<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
  <ServiceProvider Name="[Enter Provider Name i.e. PasswordVault]" Description="PasswordVault Service Provider" AssertionConsumerServiceUrl="~/api/auth/saml/logon"/>
  <LocalCertificates>
      <Certificate FileName="C:\Stage\certs\pvwa.pfx" Password="Password@1234"/>
    </LocalCertificates> 
  <PartnerIdentityProviders>
    <PartnerIdentityProvider Name="[Enter Entity ID]" SingleSignOnServiceUrl="[Enter SSO Login URL]" SignAuthnRequest="false">
      <PartnerCertificates>
        <Certificate String="[Copy & paste the OKTA Cert code]" />
      </PartnerCertificates>
    </PartnerIdentityProvider>
  </PartnerIdentityProviders>
</SAMLConfiguration>
--

SAML Authentication Enable on the PVWA Portal. 

 

 

Access Retractions allow (Whitelist) [ Load Balancers, pvwa component url's and SSO OKTA URL]

Testing 
https://cyberarkpam.corp.com/PasswordVault/v10/logon/saml

 

References

• CyberArk SAML AuthN Doc: SAML authentication | CyberArk Docs
• Community Ref Doc: PVWA - SAML OKTA integration
• OKTA Ref Doc: Setup SSO

 

Happy Learning!!

---------------------------------------------------------------------------------------------------------------