CyberArk

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

Configure Connection

To add and configure app properties for the Virtual Appliance connection do the following:

  1. Create CyberArk App.
  2. Add IdP Template.
  3. Configure Single Sign On.
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add Virtual Appliance Admins.

1. Create CyberArk App

  1. In your preferred browser log in to your CyberArk Admin Portal.

  2. Select Apps & Widgets, then select Web Apps.

    CyberArk menu showing the expanded Apps and Widgets menu and the Web Apps option below.

  3. In the Web Apps page, select Add Web Apps from the top-right corner.
  4. In the Search tab, search for and select the PrinterLogic app.

  5. Select Add.

    CyberArk Search tab with PrinterLogic app result.

  6. In the Add Web App modal, select Yes to add the application.
  7. Select Close on the Add Web Apps window.
  8. Give your app a name and select Save.

CyberArk showing the newly created app's Settings page.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

When configuring this IdP through Virtual Appliance, use the Custom option in the IdP Template drop-down.

  1. In a separate browser tab, open your Virtual Appliance Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.

  6. For Provisioning it is assumed that JIT will be used for most Virtual Appliance applications. Check the box for JIT provisioning.

    When you consider how to set up your IdP configuration be aware that SCIM provisioning requires an open connection from the IdP provider into the Virtual Appliance instance gateway container. We recommend JIT provisioning when setting up your IdP connection.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Configure Single Sign On

  1. In the CyberArk app side menu, select Trust.
  2. In the Identity Provider Configuration section, select the Manual Configurationoption.
  3. Copy the CyberArk Sign In URL and paste it into the Virtual Appliance IdP Settings window's SSO URL field.
  4. Copy the CyberArk Issuer URL and paste it into the Virtual Appliance Issuer URL field.

  5. Cut the numerical portion (after app/) from the Issuer URL and paste it into the Virtual Appliance Issuer ID field.

    Example: Issuer URL: https://abc1234.my.idaptive.app/, Issuer ID: a1b2cd34-fb1f-4f71-9248-8675309d/

  6. Return to CyberArk, scroll down to the Service Provider Configuration section, and select Manual Configuration.
  7. Copy the Virtual Appliance Identifier (Entity ID) URL and paste it into the CyberArk SP Entity ID/ SP Issuer/Audience field.
  8. Copy the Virtual Appliance Reply URL (ACS) and paste it into the CyberArk Assertion Consumer Service (ACS) URL field.
  9. In the CyberArk Recipient section, check the box for Same as ACS URL.
  10. In the Sign Response or Assertion field, select Assertion.
  11. Copy the Virtual Appliance Relay State URL and paste it into the CyberArk Relay State field.
  12. Select Save in CyberArk.

CyberArk app showing the Trust tab selected and the manual configuration menu expanded to show the different URLs to use.

4. Add the X-509 Certificate

  1. Return to CyberArk Identity Provider Configuration section and expand the Signing Certificate option.
  2. Select Download.
  3. Open the file in your preferred text editor.

  4. Copy the certificate body, including the Begin / End Certificate headers, and paste it into the Virtual Appliance X-509 Certificate field.

    SAML Certificate opened in Notepad, showing the body of the content highlighted, excluding the being and end certificate lines.

  5. Select Apply in Virtual Appliance.
  6. Select Save at the top-right corner of the General page.

IdP Settings template showing the X509 cert and other fields configured.

5. Complete IdP Settings

  1. On the Virtual Appliance General page, navigate back to the Identity Provider Settings section.

  2. To have Virtual Appliance prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using SCIM or JIT provisioning. Please choose the appropriate option below to view the corresponding steps for the method you are using.

SCIM Provisioning

Enable SCIM Provisioning

  1. Select Provisioning in the left menu of the CyberArk app.
  2. Check the box for Enable provisioning for this application then select Yes to proceed.
  3. Select Live Mode.
  4. In Virtual Appliance, select the IdP and then select Modify.

  5. In the IdP Settings window, copy the SCIM Tenant from the Service Provider Information section, then paste it into CyberArk's SCIM Service URL field.

    When using the SCIM Tenant URL, please note that it will be effective as is, unless you've customized the name of your Virtual Appliance database. In the URL, 'app_pi' is the default identifier for the Virtual Appliance database, with 'app' being the default name. If you've modified this in your setup, substitute 'app' with the specific custom name you've assigned. For example, if your database name is'printerlogic,' you would modify 'app_pi' to read 'printerlogic_pi' instead.

  6. In the CyberArk Authorization Type section select Authorization Header, and for the header type select Bearer Token.
  7. Close out of the Virtual Appliance IdP Settings window.

CyberArk app's Provisioning tab with the SCIM Service URL field highlighted and filled in near the top middle.

Generate SCIM Token

  1. In the Virtual ApplianceGeneral settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration in the drop-down menu.

  3. Select Generate SCIM Token.

    SCIM section showing the IdP selected in the drop-down, and the Generate SCIM Token button to the right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Select Proceed.
  5. Copy the token, close the modal, and select Save at the top-right corner of General settings.
  6. Paste the token in CyberArk's Bearer Token field.
  7. Select the Verify button to ensure communication.
  8. In the Sync Options, enable the settings below:
    1. Sync (overwrite) users to target application when existing users are found with the same principal name.
    2. Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
    3. Sync groups from local directory to target application (this option overrides any destination group selection in Role Mappings).
    4. Disable user.
    5. Deprovision (deactivate or delete) users in this application when they are disabled in the source directory.
  9. Select Save in CyberArk.

Add Roles / Users

  1. In the CyberArk admin portal side navigation under Core Services, select Roles.

    Core Services Roles option in side navigation.

  2. Select Add Role.
  3. Name the role Vasion Admin.
    1. (Optional): Add the Description and Organization.
  4. Set the Role Type to Static.
  5. Select Save.
  6. On the left, select Members.
  7. Add any users that will have admin rights in Virtual Appliance to this role.
  8. On the left, select Assigned Applications.
  9. Select Add, and then locate and Add the App you created.
  10. Select Save.

CyberArk showing the Roles window with the Description tab selected and the created role visible.

Map the Role

  1. Navigate back to your CyberArk app and select the Provisioning tab.
  2. Under Role Mappings, select Add.
  3. Use the Role drop-down in the Role Mapping window to select Vasion Admin.
  4. In the Destination Group section, select Add, and select Vasion Admin.
  5. Select Done.
  6. Select Save.

CyberArk window showing the app's Provisioning tab and the roles section.

JIT Provisioning

If you wish to use JIT Provisioning, make sure the JIT option in the IdP Settings modal is checked and do not enable SCIM. Doing so will create duplicate users and impact login and user authentication.

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your Virtual Appliance instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.

  3. This login attempt will fail and return you to the Virtual Appliance login page.

    This is expected. With JIT, this action triggers the user creation in Virtual Appliance.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users.

7. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.