CyberArk Identity Usages and Configuration (MFA,SSO,etc) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, October 3, 2023

CyberArk Identity Usages and Configuration (MFA,SSO,etc)

CyberArk Identity makes it very easy to map AD Security Groups to Roles to integrate SSO, Multi-Factor Authentication (MFA), and endpoint security policies. This feature allows AD data to be managed in the cloud without duplication.


Diagram



High Level Steps to Secure Enterprise Identity, not just Manage them:
  1. Enforce Best Practice
  2. Utilize Enterprise-Grade Password Mgmt
  3. Monitor Suspicious user activity across all applications
  4. Automate secure Identity Lifecycle mgmt
  5. Secure Endpoint Identity Access
  6. Identify and review user identity sprawl and access controls across whole IT envirtonment



Workforce Identity Free Trial account


Start with a new free trial tenant from CyberArk Identity. Navigate to
https://www.cyberark.com/try-buy/workforce-identity-trial/. 

The tenant ID (customer ID) appears in the initial tenant URL : https://[TenantID].id.cyberark.cloud. 

Customize your own Tenant URL:

Identity Admin portal - Settings - Customization - Tenant URLs - Add Tenant URL
  • https://51sec.id.cyberark.cloud
  • https://travelcom4021.id.cyberark.cloud/
  • https://abb4021.id.cyberark.cloud/


User: cloudadmin@travel_abb4021

Identity Setup


Portal: https://travelcom4021.id.cyberark.cloud/

1. Change suffix

The login suffix is the name that appears after the @symbol, which can provide a smoother login experience to the end user by matching the company domain
once you changed it, your login account will need to add this suffix to login
cloudadmin -> cloudadmin@travel_ab40021

You also can change your tenant url to a different one than from your tenant id. 


Here is an example I added 51sec as suffix, which has to be unique across all cyberark cloud. The change will take a couple of hours to be synced in all backend system in the CyberArk cloud. 


Change user's suffix. And Save. Now you can log in with admin@51sec this account into your Identity Cloud. 



2. Create / update Installeruser

The InstallerUser service account is a built-in account that exists in the Identity Security Platform Shared Services (ISPSS) tenant. This account is not built-in with the Free Trial tenant. Back-end changes with the ISPSS tenant require the use of the built-in InstallerUser account. 
Add the InstallerUser account to the System Administrator role.




Install Identity Connector

Make sure you have reset the [email protected] account's password. It will be used later for installation. 


Ports: 
https://docs.cyberark.com/identity/Latest/en/Content/CoreServices/Connector/Add-AD.htm


Register the CyberArk Identity Connector to the Identity tenant.



Do not use admin account, just use installeruser account



Leave the Activate Idaptive pages settings as default and click Next

Check the box next to travelcom.local to give the CyberArk Identity Connector read
permissions to the deleted objects folder in Active Directory

. The configuration wizard will perform a connections test. Wait until you see 4 Successes.




Explore the CyberArk Identity Connector utility application.



Create / Modify user

1. Manually Create one user
- Choose suffix
- manually set password / auto -generate
- send invite or not

2. Using Bulk User Import

- template download

3. Check User's Policy Summary



Identity Roles (Similar as Group)

NOTE: Only Global Administrators can create and manage policies in CyberArk Identity.

Identity roles is similar as AD's security group. 

View the CyberArk Identity Default roles.



Explore the relationship between roles and policies.


Create an Identity and Access Management (IAM) Admin role.



Create roles to map to an AD securitygroups.


Create an Identity Cloud Directory role for contractors.

CyberArk Identity uses Organizations to delegate user administrative tasks to certain individuals. Delegated Administrators can create and manage users, roles, and web apps.

NOTE: Only Global Administrators can create and manage policies in CyberArk Identity.

Users and Delegated Administrators can only exist in one Organization at a time.


Individual Users can also be added to Organizations. This can be a manual update or a bulk user update.

Adding an Individual User

Inside the Organization, users can be added from the Members option. This process is similar to any other process where you add users and roles.


Delegating Web App Management

Delegated admins can manage web apps that are assigned to their organization only. This reduces the amount of management required by the global admin and allows the delegated admin to grant and manage these web apps for their organization.


Assign and Deploy Web Apps for Delegated Admins


1 Add the web app, choosing which Organization to associate. This will create multiple instances of a web app. Use the Organization column to identify which web app to open.


2 Assign the Grant, View, Manage permissions to the web app to the delegated admin. This can be an individual or a group.


3 Verify the web app is set to Deployed.


Added Security - Step Up Authentication

As an added level of security, step-up authentication can be added to the Admin Portal. This could be used to force Delegated Administrators to provide additional verification before getting to the Admin Portal.


Scenario : create a Contractors role


Before TravelCom efficiently provision and deprovision Single Sign-On (SSO) apps, policies, and other settings to users throughout the company and around the world, they need to setup roles.
TravelCom wants you to provision certain applications and policies for your contractors that are cloud users. You will need to create a Contractors role in the CyberArk Identity Directory.
Additionally, TravelCom wants to have an IAM administrator with granular level Identity administrative permissions to provision applications to a large sets of users


Objectives: 

  • View the CyberArk Identity Default roles.
  • Explore the relationship between roles and policies.
  • Create an Identity and Access Management (IAM) Admin role.
  • Create roles to map to an AD security groups.
  • Create an Identity Cloud Directory role for contractors.


Identity makes it very easy to map AD Security Groups to Roles to integrate SSO, Multi-Factor Authentication (MFA), and endpoint security policies. This feature allows AD data to be managed in the cloud without duplication.

BEST PRACTICE: 

  • Create and use roles to provision policies and applications using Roles Based Access Controls (RBAC).
  • When you are ready to assign tenant admin rights, create a role specifically for thatpurpose. It is NOT recommended to ever create admin rights for the Everybody role.



Add Azure Active Directory as a directory service

This section describes how to add Azure Active Directory (AAD) as a directory service in CyberArk Identity.

Note: https://docs.cyberark.com/Idaptive/Latest/en/Content/CoreServices/UsersRoles/Add-AzureAD.htm


From Identity Administration, choose settings -> Users -> Directory Services -> Add Azure Active Directory



You can find out Directory ID (Tenant ID) , Client ID and Client Secret from Azure AD App registrations portal:


API permissions:


Enable MFA for Users



To configure MFA for all users

Step 1: Add a new policy set

  1. Log in to the Identity Administration portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select All users and devices.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > CyberArk Identity.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.




Configure MFA for service users

Enforce MFA for users accessing specific services by applying the policy set to users in a service-specific Role.

Step 1: Add a new policy set

  1. Log in to the Identity Administration portal.

  2. Go to Core Services > Policies and click Add Policy Set to create a new one.

  3. Name the policy set and select Specified Roles.

  4. Add the service-specific Roles to the list of Specified Roles.

Step 2: Enable authentication policy controls

  1. Go to Authentication Policies > CyberArk Identity.

  2. Select Yes in the Enable authentication policy controls drop-down.

Step 3: Create an authentication profile

  1. In the Authentication Rules area, select Add New Profile from the Default Profile drop-down list.

  2. Enter a unique name for each profile.
  3. Select the authentication mechanism(s) from either Multiple Authentication Mechanisms or Single Authentication Mechanism.



Introduction

When adding a Code Sample, please choose the 'Normal (DIV)' formatting, in order to avoid text glitch over the page borders

Step-by-step instructions

When adding a Code Sample, please choose the 'Normal (DIV)' formatting, in order to avoid text glitch over the page borders


Identity Security Platform Shared Services Policies

A policy is a group of instructions that control how the CyberArk Identity services operate. It will 
  • Allow users to add apps
  • Define authentication rules
  • Control user permissions
  • Allow endpoint access
  • Integrate third-party apps
It can be applied to end users, devices or by role.

Policy apply from top down so a policy lower on the table will be overridden by policies above when the same settings applies to the same user or role. 

If a user is a member of multiple roles, whichever policy is closest to the top of the policies table is the one that foverns any overlapping settings. 



Setting Up Azure AD SSO For Identity

1. Confirm your primary domain from your AAD, Extra ID page

2. Create a new Enterprise application (Non-gallery) 
  • Name example: CyberArk Identity Integration
  • Set up single sign on from the overview page of CyberArk Identity Integration app
  • Select a single sign-on, SAML

3. From Identity - Settings - Users - External Identity Providers

4. Inbound Metadata section


Enter App Federation Metadata Url from Entra ID SAML-based Sign-on page
something similar as : https://login.microsoftonline.com/b7d75-07f-4323b1-34bb-c99221d23/federationmetadata/2007-06/federationmetadata.xml?appid=4bead5-ed-4a23a1-9034e7-e4725126c

5. Outbound Metadata
Download Metadata from CyberArk Identity then upload to Entra ID's CyberArk Identity Integration app

6. After you clicked save, the basic SAML configuration will be fulfilled with right informaiton:

7. Add user principle name as a new attributes & claim

8. Assign users or groups to this CyberArk Identity Integration app

9. Add  a routing rules for external identity provider



No comments:

Post a Comment