Integrating CyberArk Identity for Provisioning
This guide provides the details about Britive application and CyberArk Identity provisioning integration.
Ensure that you have the following before integrating Britive and CyberArk Identity:
- SCIM 2.0 Base URL
- Bearer token
Configuring an Identity Provider on Britive
An identity provider needs to be created in Britive for SSO.
- Login to Britive application with administrator privileges.
- Click on Admin->Identity Management from the navigation menu.
- Click on the Identity Providers tab.
- Click on ADD IDENTITY PROVIDER button.
- Enter Name and Description.
- Select Identity Provider Type as SAML.
- Click Add. A configuration page is displayed.
Configuring Provisioning on Britive
- Click on the Edit icon under SCIM Provider in the SCIM tab.
- Select Generic from the drop-down list for configuring an identity provider.
- Save the changes by clicking the icon next to the selection.
- Copy the SCIM URL and note it down. This URL is entered later to configure on the identity provider portal.
- Click on CREATE TOKEN.
- Enter the validity of the token and create a token. Copy this generated token and note it down. Click OK. This token is not displayed again. This token is entered later on the identity provider portal.
- Click on RECREATE TOKEN button to generate a new token, if needed.
- Click on EDIT TOKEN VALIDITY to update validity.
- Map the incoming attributes using the procedure explained in User mapping.
- Add SCIM token to tenant policy using the procedure listed in Adding SCIM Token to Tenant Policy section. Recreated token also needs to be added to the tenant SCIM policy.
Adding SCIM Token to Tenant Policy
- Click on Admin->Role & Policy Management->Policies.
- Search and select TenantSCIMPolicy from the list of policies.
- Click on Manage policy for TenantSCIMPolicy.
- Click Edit.
- Enter the following on Edit Policy page:
- Click on Select API Tokens.
- Select the token created in earlier section. The name of the token is same as the name of the identity provider.
- Click Save.
- Select Enable policy for TenantSCIMPolicy, if not enabled already.
After provisioning, by default, seven attributes from the identity provider are mapped to a Britive user.
You can see the mapped attributes by checking the Mapped Attributes checkbox in the User Mapping section. Out of these attributes, Status, Email, First Name, Last Name, and Username are mandatory attributes. The identity provider must send these attributes for the user to get created in Britive.
Additional attributes of the user from the identity provider can be configured in Britive. Follow these steps to map additional attributes:
- Select Admin->Identity Management from the navigation menu,
- Click on the Identity Attributes tab.
- Create a new attribute by clicking ADD IDENTITY ATTRIBUTE button.
- Enter the following values on Add Identity Attributes page:
- Enter the Name and description of the attribute.
- Select the type of attribute from the drop-down list.
- Check Multi valued for the attributes which can have multiple values. For example, user roles.
- Click ADD IDENTITY ATTRIBUTE. The created attribute is displayed in the list of identity attributes.
- Click the Identity Providers tab.
- Select the identity provider and click on the SCIM tab.
- Uncheck the Mapped Attributes checkbox to see the list of unmapped attributes.
- Click EDIT.
- Map the identity attribute with the incoming SCIM attribute.
- Click SAVE.
Configuring CyberArk Identity for Provisioning
- Login to CyberArk User Portal as CyberArk identity Administrator.
- Navigate to the Admin Portal.
- Navigate to Apps & Widgets -> Web Apps from the sidebar menu and click the Add Web Apps button.
- Click on the Custom tab and add the SAML web app.
- Enter the following on the Settings page:
- Add a Name and Description.
- Uncheck the Show in user app list checkbox from the Advanced section.
- Copy the SCIM URL and token from Britive.
- Enter the following on the Provisioning page:
- Check Enable Provisioning for this application.
- Add the SCIM URL copied from Britive in the SCIM Service URL.
- Select Authentication Type as Authorization Header.
- Select Header Type as Bearer Token and add token in Bearer Token.
- Click on Verify to validate the credentials.
- Add specific roles required to be provisioned as groups under role mapping.
- Click Save to save the web application.