This topic describes how to integrate your CyberArk Identity tenant with CyberArk Remote Access.
CyberArk Remote Access is a SaaS based service that integrates with Password Vault Web Access (PAM - Self-Hosted) for complete visibility and control of remote privileged activities without the need for VPNs, agents or passwords. Refer to the Remote Access documentation for more detail.
Users with this integration can utilize the single sign-on and adaptive MFA features of CyberArk Identity to remotely access privileged targets protected inside the CyberArk Vault, PVWA, and other elements of PAM - Self-Hosted.
Integrating your tenant with Remote Access produces the following benefits:
-
Users in the System Administrator role can use the portal switcher for single sign-on to the Remote Access portal from the Identity Administration portal and administer Remote Access.
-
Users in the CyberArk Users role can launch their Remote Access PVWA instances from the User Portal from outside the corporate network.
Requirements
Contact your CyberArk account representative to enable this feature after you meet the following requirements.
CyberArk Identity
To integrate CyberArk Identity with Remote Access, you need the following:
-
A user in the System Administrator role for the Identity Administration portal
-
An Active Directory environment with at least one instance of both the CyberArk Identity Connector and Remote Access Connector
Remote Access
Refer to the Remote Access documentation for any additional requirements that are specific to Remote Access.
Changes in your CyberArk Identity tenant
After this feature is enabled, you'll see the following changes in your CyberArk Identity tenant. These changes to the infrastructure are required to support this integration.
| Change | Description |
|---|---|
| New SAMLWeb App:CyberArk Remote Access Portal | This SAML web app provides admins access to the Remote Access portal through the portal switcher, and also provides users access to their PAM - Self-Hosted resources by adding them as linked applications. Linked applications inherit the permissions of the parent application (Remote Access portal in this case). Linked applications representing PAM - Self-Hosted resources are automatically created and deleted as Remote Access applications are updated in Remote Access - no action is required from you. The CyberArk Remote Access portal application is automatically deployed to the following roles:
|
| New role: CyberArk Remote Access Users | The CyberArk Remote Access Users Role allows remote users to single sign on to Remote Access from the User Portal and securely access PAM - Self-Hosted resources. CyberArk Identity administrators have to specify the remote users as members of this role from the Identity Administration portal. Additionally, you can add Active Directory users (linked to Remote Access using the Remote Access Connector) to this role, and once added, those users can single sign on to the Remote Access portal from CyberArk Identity. These users do not need to be registered in Remote Access first. |
| New role: CyberArk Remote Access Admin Users | The CyberArk Remote Access Admin Users is a read-only Role that allows administrators to switch between the Identity Administration portal and the Remote Access portal for various administrative functions. Members of this Role are only managed in Remote Access and are automatically synchronized to CyberArk Identity. |
| New user: alero-integration-user@<mysuffix> | The alero-integration-user@<mysuffix> is an OAuth confidential client. The user's credentials are used by Remote Access to call CyberArk APIs. Do not delete this user. Deleting it will break the Remote Access integration. |
Enable the Remote Access integration
-
In the Identity Administration portal, go to Core Services > Users, then filter with the All Service Users set.
-
Right-click alero-integration-user@<mySuffix>, then click Set Password.
-
In the Remote Access admin portal, go to Settings > User management sources, then select Identity SSO.
-
Configure the following settings, then click Save.
Setting
Description
CyberArk Identity tenant ID
The ID value found in the username drop-down menu > About.
CyberArk Identity username suffix
The login suffix selected for the Remote Access integration service user in the Identity Administration portal.
Go to Core Services > Users, then search for alero-integration-user and verify the suffix.
For more information about the login suffix, see Manage login suffixes.
CyberArk Identity client secret
This is the password set for the Remote Access integration service user.
Enabling the Remote Access integration results in the following changes:
-
Registered Remote Access users who have a linked account in Active Directory are automatically synced to the CyberArk Remote Access Users and CyberArk Remote Access Admin Users roles in the Identity Administration portal, depending on their existing permissions.
Additionally, unregistered users who have a linked account in Active Directory can be added to the CyberArk Remote Access Users role in the Identity Administration portal and gain access to CorPAS resources available in the User Portal. See Deploy Remote Access to AD users
The user must have a valid email address; the email address is one of the properties used to verify Remote Access users in CyberArk Identity.
-
Users in either the CyberArk Remote Access Users or CyberArk Remote Access Admin Users roles are automatically granted access to their Remote Access-protected resources.
For example:
Remote Access users will see their PAM - Self-Hosted resources in their User Portal.
Remote Access admins will be able to switch between the Identity Administration portal and the Remote Access admin portal to administer both environments.
-
Deploy Remote Access to AD users
Active Directory users, not registered in Remote Access, can be added to the CyberArk Remote Access Users role in the Identity Administration portal and gain access to CorPAS resources available in the User Portal. These users must be linked to Remote Access using the Remote Access Connector in Active Directory. Once added, the users are created in the Remote Access portal.
-
In the Identity Administration portal, go to Core Services > Roles, then click CyberArk Remote Access Users.
-
Click Members > Add to add AD users to the role, then click Save when you are finished.
Users who are members of the CyberArk Remote Access Users role can see their Remote Access apps in the User Portal. For more details on adding users to a Role, see Assign users to roles.
Apply an MFA profile to Remote Access app launches
After you enable the Remote Access integration, you can apply an MFAprofile to Remote Access app launches for additional security. Use an MFA profile to present additional authentication challenges to Remote Access admin users or users who try to launch either the Remote Access portal or a PAM - Self-Hosted resource.
To apply an MFAprofile to Remote Access app launches
-
In the Identity Administration portal, go to Apps > Web Apps, then open CyberArk Remote Access Portal application.
-
Go to the Policy page and configure application challenge rules and a default authentication profile, as needed.
Refer to Secure apps with MFA for detailed instructions.
