CyberArk Workforce Identity
Important:
The formerly known Next-Gen Access integration has been renamed CyberArk Workforce Identity.
CyberArk Workforce Identity provides secure access management solutions for enterprises. It includes single sign-on (SSO), multi-factor authentication (MFA), and lifecycle management, ensuring that employees can seamlessly and securely access applications and data. The platform enhances security by reducing the risk of credential-related breaches, while improving user productivity and compliance.
The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.
Stored CyberArk Workforce Identity Information
The following table describes the available integration tasks and stored data within SaaS Management.
|
|
|
|
HR Roster
|
|
|
Application Roster
|
|
|
Application Access
|
|
|
Application Discovery
|
|
•
|
Application Description |
|
|
SSO Application Roster
|
|
|
SSO Application Access
|
|
•
|
Occurred (Application Launch) |
|
•
|
Application Instance ID |
|
Note:The information stored is subject to change as enhancements are made to the SaaS application.
Required Minimum Permissions for CyberArk Workforce Identity
The following minimum permissions are required:
|
•
|
Read-only System Administrator |
|
•
|
Application Management. |
Authentication Method for CyberArk Workforce Identity
OAuth 2.0 With Client Credentials is the required authentication method.
Required Credentials for CyberArk Workforce Identity
The following credentials are required:
Tasks for Integrating CyberArk Workforce Identity with SaaS Management
Perform the following tasks in sequential order to integrate CyberArk Workforce Identity with SaaS Management.
Creating an OAuth Client for CyberArk Workforce Identity
Complete the following steps to create an OAuth client.
To create an OAuth client:
|
1.
|
To import a Web App, sign in to your CyberArk Workforce Identity admin portal. |
|
2.
|
Go to Web Apps and click the Add Web Apps button. The Add Web Apps page opens. |
|
3.
|
Select the Import tab. |
|
5.
|
Click Upload and upload the OauthClientApp.zip folder to add the application. After the application is added, the application’s Overview tab opens. |
Important:Do not change the Application ID.
|
6.
|
To create a client credential user, go to the General Usage tab and click the link to create a user. |
The Login Name and Password given by the user will be the respective Client ID and Client Secret. These two fields are needed as user input. After these values are provided, click the Create User button. An example Client ID is clientID@metasaas.com.
You are now able to see the new user under the All Service Users listing.
|
7.
|
To create a new role, click Roles on the Core Services menu. Then click Add Role. The Add Role page opens. |
|
a.
|
In the Name field, enter the name of the role and click Save. |
|
b.
|
On the Add Role page, click the Members tab. The Add Members page opens. Add the client credential user that was created in step 2 and click Add. |
|
c.
|
On the Add Role page, click the Administrative Rights tab. The Add Rights window opens. Select Read Only System Administration and Application Management. Then click Add. |
|
d.
|
Click Save. The Role has been added to the Web App. |
|
8.
|
Go back to the General Usage tab for the Web App that was imported. |
|
a.
|
Select the Permissions tab. The Select User, Group, or Role page opens. Add the new permission (Role) and (User) that was created in steps 6 and 7 and click Add. |
|
b.
|
Click Save. The deployment is complete. |
Obtaining Your CyberArk Workforce Identity Tenant URL, Client ID, and Client Secret
The following section explains how to obtain CyberArk Workforce Identity information that is needed to integrate with SaaS Management. After you have this information, proceed to Integrating CyberArk Workforce Identity With SaaS Management.
|
•
|
For the Tenant URL, use the URL that you received as the CyberArk Workforce Identity URL in your welcome email. Enter the URL without https://. |
For example, if the Tenant URL is https://abk4810.id.cyberark.cloud, enter only abk4810.id.cyberark.cloud
Note:Do not enable Two-Factor Authentication.
Integrating CyberArk Workforce Identity With SaaS Management
To Integrate CyberArk Workforce Identity with SaaS Management, perform the following steps.
To integrate CyberArk Workforce Identity with SaaS Management:
|
1.
|
In SaaS Management, add the CyberArk Workforce Identity application. For more information, see Adding an Application. |
Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.
CyberArk Workforce Identity API Endpoints
Application Access, Application Discovery, and SSO Application Access
https://<TenantURL>/Redrock/query
Application Roster, HR Roster
https://<TenantURL>/Redrock/query
https://<TenantURL>/UserMgmt/GetUserAttributes
SSO Application Roster
https://<TenantURL>/Redrock/query
https://<TenantURL>/UPRest/GetUPData