CyberArk Identity Usages and Configuration (MFA,SSO,etc)

CyberArk Identity makes it very easy to map AD Security Groups to Roles to integrate SSO, Multi-Factor Authentication (MFA), and endpoint security policies. This feature allows AD data to be managed in the cloud without duplication.

Diagram

High Level Steps to Secure Enterprise Identity, not just Manage them:

Enforce Best Practice
Utilize Enterprise-Grade Password Mgmt
Monitor Suspicious user activity across all applications
Automate secure Identity Lifecycle mgmt
Secure Endpoint Identity Access
Identify and review user identity sprawl and access controls across whole IT envirtonment

Workforce Identity Free Trial account

Start with a new free trial tenant from CyberArk Identity. Navigate to

https://www.cyberark.com/try-buy/workforce-identity-trial/.

The tenant ID (customer ID) appears in the initial tenant URL : https://[TenantID].id.cyberark.cloud.

Customize your own Tenant URL:

Identity Admin portal - Settings - Customization - Tenant URLs - Add Tenant URL

https://51sec.id.cyberark.cloud
https://travelcom4021.id.cyberark.cloud/
https://abb4021.id.cyberark.cloud/

User: cloudadmin@travel_abb4021

Identity Setup

Portal: https://travelcom4021.id.cyberark.cloud/

1. Change suffix

The login suffix is the name that appears after the @symbol, which can provide a smoother login experience to the end user by matching the company domain

once you changed it, your login account will need to add this suffix to login

cloudadmin -> cloudadmin@travel_ab40021

You also can change your tenant url to a different one than from your tenant id.

Here is an example I added 51sec as suffix, which has to be unique across all cyberark cloud. The change will take a couple of hours to be synced in all backend system in the CyberArk cloud.

Change user's suffix. And Save. Now you can log in with admin@51sec this account into your Identity Cloud.

2. Create / update Installeruser

The InstallerUser service account is a built-in account that exists in the Identity Security Platform Shared Services (ISPSS) tenant. This account is not built-in with the Free Trial tenant. Back-end changes with the ISPSS tenant require the use of the built-in InstallerUser account.

Add the InstallerUser account to the System Administrator role.

Install Identity Connector

Make sure you have reset the [email protected] account's password. It will be used later for installation.

Do not use admin account, just use installeruser account

Leave the Activate Idaptive pages settings as default and click Next

Check the box next to travelcom.local to give the CyberArk Identity Connector read

permissions to the deleted objects folder in Active Directory

. The configuration wizard will perform a connections test. Wait until you see 4 Successes.

Explore the CyberArk Identity Connector utility application.

Create / Modify user

1. Manually Create one user

- Choose suffix

- manually set password / auto -generate

- send invite or not

2. Using Bulk User Import

- template download

3. Check User's Policy Summary

Identity Roles (Similar as Group)

NOTE: Only Global Administrators can create and manage policies in CyberArk Identity.

Identity roles is similar as AD's security group.

View the CyberArk Identity Default roles.

Explore the relationship between roles and policies.

Create an Identity and Access Management (IAM) Admin role.

Create roles to map to an AD securitygroups.

Create an Identity Cloud Directory role for contractors.

CyberArk Identity uses Organizations to delegate user administrative tasks to certain individuals. Delegated Administrators can create and manage users, roles, and web apps.

NOTE: Only Global Administrators can create and manage policies in CyberArk Identity.

Users and Delegated Administrators can only exist in one Organization at a time.

Individual Users can also be added to Organizations. This can be a manual update or a bulk user update.

Adding an Individual User

Inside the Organization, users can be added from the Members option. This process is similar to any other process where you add users and roles.

Delegating Web App Management

Delegated admins can manage web apps that are assigned to their organization only. This reduces the amount of management required by the global admin and allows the delegated admin to grant and manage these web apps for their organization.

Assign and Deploy Web Apps for Delegated Admins

1 Add the web app, choosing which Organization to associate. This will create multiple instances of a web app. Use the Organization column to identify which web app to open.

2 Assign the Grant, View, Manage permissions to the web app to the delegated admin. This can be an individual or a group.

3 Verify the web app is set to Deployed.

Added Security - Step Up Authentication

As an added level of security, step-up authentication can be added to the Admin Portal. This could be used to force Delegated Administrators to provide additional verification before getting to the Admin Portal.

Scenario : create a Contractors role

Before TravelCom efficiently provision and deprovision Single Sign-On (SSO) apps, policies, and other settings to users throughout the company and around the world, they need to setup roles.

TravelCom wants you to provision certain applications and policies for your contractors that are cloud users. You will need to create a Contractors role in the CyberArk Identity Directory.

Additionally, TravelCom wants to have an IAM administrator with granular level Identity administrative permissions to provision applications to a large sets of users

Objectives:

View the CyberArk Identity Default roles.
Explore the relationship between roles and policies.
Create an Identity and Access Management (IAM) Admin role.
Create roles to map to an AD security groups.
Create an Identity Cloud Directory role for contractors.

Identity makes it very easy to map AD Security Groups to Roles to integrate SSO, Multi-Factor Authentication (MFA), and endpoint security policies. This feature allows AD data to be managed in the cloud without duplication.

BEST PRACTICE:

Create and use roles to provision policies and applications using Roles Based Access Controls (RBAC).
When you are ready to assign tenant admin rights, create a role specifically for thatpurpose. It is NOT recommended to ever create admin rights for the Everybody role.

Add Azure Active Directory as a directory service

This section describes how to add Azure Active Directory (AAD) as a directory service in CyberArk Identity.

Note: https://docs.cyberark.com/Idaptive/Latest/en/Content/CoreServices/UsersRoles/Add-AzureAD.htm

From Identity Administration, choose settings -> Users -> Directory Services -> Add Azure Active Directory

You can find out Directory ID (Tenant ID) , Client ID and Client Secret from Azure AD App registrations portal:

API permissions:

Enable MFA for Users

To configure MFA for all users

Step 1: Add a new policy set

Log in to the Identity Administration portal.
Go to Core Services > Policies and click Add Policy Set to create a new one.
Name the policy set and select All users and devices.

Step 2: Enable authentication policy controls

Go to Authentication Policies > CyberArk Identity.
Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.
Enter a unique name for each profile.
Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

Configure MFA for service users

Enforce MFA for users accessing specific services by applying the policy set to users in a service-specific Role.

Step 1: Add a new policy set

Log in to the Identity Administration portal.
Go to Core Services > Policies and click Add Policy Set to create a new one.
Name the policy set and select Specified Roles.
Add the service-specific Roles to the list of Specified Roles.

Step 2: Enable authentication policy controls

Go to Authentication Policies > CyberArk Identity.
Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.
Enter a unique name for each profile.
Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.

Remove MFA for Users

CyberArk Identity: How to setup service users without MFA

Identity Security Platform Shared Services Policies

A policy is a group of instructions that control how the CyberArk Identity services operate. It will

Allow users to add apps
Define authentication rules
Control user permissions
Allow endpoint access
Integrate third-party apps

It can be applied to end users, devices or by role.

Policy apply from top down so a policy lower on the table will be overridden by policies above when the same settings applies to the same user or role.

If a user is a member of multiple roles, whichever policy is closest to the top of the policies table is the one that foverns any overlapping settings.

Setting Up Azure AD SSO For Identity

1. Confirm your primary domain from your AAD, Extra ID page

2. Create a new Enterprise application (Non-gallery)

Name example: CyberArk Identity Integration
Set up single sign on from the overview page of CyberArk Identity Integration app
Select a single sign-on, SAML

3. From Identity - Settings - Users - External Identity Providers

4. Inbound Metadata section

Enter App Federation Metadata Url from Entra ID SAML-based Sign-on page

something similar as : https://login.microsoftonline.com/b7d75-07f-4323b1-34bb-c99221d23/federationmetadata/2007-06/federationmetadata.xml?appid=4bead5-ed-4a23a1-9034e7-e4725126c

5. Outbound Metadata

Download Metadata from CyberArk Identity then upload to Entra ID's CyberArk Identity Integration app