Configuring CyberArk Enterprise Password Vault (EPV) SAML authentication using ADFS 2012 R2 with Azure MFA enabled

In this post I am going to document the steps I've gone through to enable SAML authentication for CyberArk Enterprise Password Vault using ADFS 2012 R2 as the Identity Provider (IdP)

Pre-requisites and Environment Summary:

Vault server (vault01) running PVS/EPV version 9.8
Password Vault Web Access server (pvwa01) running PVS/PVWA version 9.8
Privileged Session Manager (PSM) server (psm01) running PVS/PSM version 9.8
Central Policy Manager (CPM) component is installed on pvwa01 server
ADFS is installed on a Windows 2012 R2 server

Vault "administrator" credential in case your setup goes wrong, you can login to PVWA still using the "administrator" account to correct it.

Configuration Steps:

Export ADFS Signing Certificate from the ADFS server and save it in a base64 format as "ADFS Signing Cert.cer"

Configure PVWA01 as a rely party trust in ADFS:

• Right click on "Relying Party Trust" on your ADFS and select "Add Relying Party Trust.." and click "Start"

• Select "Enter data about the relying party manually" and click Next

• Enter "Password Vault Web Access" for as the Display name.  It can be anything. Click Next

• Select "AD FS profile" as highlighted and click Next

• Click Next

• Select "Enable support for SAML 2.0 WebSSO protocol" option and enter your PVWA SAML URL in the "Relying party SAML 2.0 SSO service URL" field.  If you access your PVWA using https://pvwa01.company.com/PasswordVault/, the the SAML 2.0 SSO sevice URL should be https://pvwa01.company.com/PasswordVault/auth/saml/.  Click Next when you are ready.

• Enter "PasswordVault" as your Relying party trust identifier.  This should match with the identifier we will later enter into the web.config in PVWA server.

• Select "Permit all user to access the relying party" and click Next

• Next we will need to create an Insurance Transform rule to send SAMAccountName attribute as Name ID to PVWA

• Now we need to add the "ADFS Signing Cert.cer" that we've exported in the previous step to the Relying Party Trust that we've just created.
• Go back to the relying party trust that we've just created.  Right Click. Select "Properties" and go to the "Signature" tab.  Click "Add" and navigate to the location of "ADFS Signing Cert.cer", select it and click OK.  The result should look similar to the screenshot below:

Next we need to login to PVWA as administrator and enable saml authentication.  You must enable it first before you make change to the web.config in PVWA.

• Login to PVWA as an administrator.  Click on "ADMINISTRATION" and then "Options".

• Expand "Authentication Methods" menu and select "saml"

• Change "Enabled" to "Yes" and change the "Logout" to your ADFS logout URL.  It should be something like this: https://sts.company.com/adfs/ls/?wa=wsignout1.0

• Click "Apply"
• Click "OK"

Next we will change the web.config on the IIS of PVWA to enable SAML authentication.

• Login to PVWA server, and browse to c:\inetpub\wwwroot\PasswordVault and open web.config file in notepad

• Scroll down to the bottom of the file and locate the <appSettings> (highlighted) section and add the these 3 lines to the end of the <appSettings> section:

    <add key="IdentityProviderLoginURL" value="https://sts.company.com/adfs/ls/IdpInitiatedSignon.aspx” />
    <add key="IdentityProviderCertificate" value="open "ADFS Signing Cert.cer" in notepad and copy and paste its content in here.  Make sure it is in 1 line and not multiple lines" />
    <add key="Issuer" value="PasswordVault" /> (again, this value should match with the Identifier value we've used to configure the relying party trust in ADFS)

Make sure all the " are the same.  You will run into IIS error if they are not.

• Run "iisreset"

• You now can login to PVWA using SAML authentication by accessing this URL:  https://pvwa01.company.com/PasswordVault/auth/saml

My ADFS has been configured to use Azure MFA for muti-factor authentication.  So when I login using saml, my request will be redirected to my ADFS for authentication.  MFA will be trigger here.  Once authenticated, it will redirect me back to PVWA.

I hope it help you with your configuration.  Please feel free to reach out to me if you have any additional question.

Next post, I will document the steps for configuring Radius authentication for CyberArk EPV using Windows Network Policy Server NPS (radius server) integrated with Azure MFA for multi-factor authentication.