CYBERARK UNIVERSITY
AUTHENTICATION METHODS
CyberArk Training
1
OBJECTIVES
By the end of this session you will be able to:
• Describe the various authentication methods supported by CyberArk
• Describe how to configure and combine two different authentication methods to achieve 2 factor
authentication.
2
SUPPORTED AUTHENTICATION METHODS
3 3
SUPPORTED AUTHENTICATION METHODS
• CyberArk supports the following authentication methods:
• CyberArk Password
• LDAP Authentication
• RADIUS including Challenge-Response
• Windows Authentication
• PKI
• RSA SecurID
• OracleSSO
• SAML
• Google Authentication
• Amazon Cognito
• Not all authentication methods are supported on all user interfaces.
• Some authentication methods may require installing a 3rd party agent on the PVWA or the Vault server.
.
4 4
SUPPORTED AUTHENTICATION METHODS
5
PVWA AUTHENTICATION
6
AUTHENTICATION CATEGORIES
Authentication via PVWA can be divided into 3 categories:
CyberArk Authentication • The PVWA sends details to the Vault, which performs the authentication.
Vault Integrated • The PVWA sends the credentials to the Vault, which in turn which in turn
External Authentication forwards the request to the external authentication servers.
• The PVWA sends the credentials to the server’s IIS service. IIS forwards the
IIS Integrated
request to the external authenticating server, and confirms authentication to
External Authentication the PVWA web application, which confirms authentication to the vault.
7
CYBERARK AUTHENTICATION FLOW
1 4
PVWA
2 App 3
End User
PVWA IIS Vault
Browser
Server
1. User chooses the CyberArk authentication type in the PVWA
2. User sends authentication details: Username and Password
3. The PVWA forwards the authentication request to the Vault
4. The Vault performs the actual authentication by validating the
credentials and grants the user access to the system
8 8
VAULT INTEGRATED AUTHENTICATION FLOW
3 6
1 5
PVWA
2 App 4
End User External
PVWA IIS Vault Authentication
Browser
Server Server
1. User chooses the relevant authentication method in the PVWA
2. User sends authentication details: Username and Password/Token
3. The PVWA forwards the authentication request to the Vault
4. The Vault forwards the authentication request to the external trusted
authority, such as a Domain Controller for LDAP, or a RADIUS server
5. The external authenticating server validates the request and
authenticates the user
6. The Vault grants the user access to the system
9
IIS INTEGRATED AUTHENTICATION FLOW
6
1 7 5
PVWA
App
3 External
End User 2 PVWA IIS Vault Authentication
Browser
Server Server
1. User chooses the relevant authentication method in the PVWA
2. User sends authentication details: Username and Password/Token/Certificate
3. The PVWA Application sends the authentication type and credentials to the IIS service
4. IIS sends then forwards the authentication request to the external trusted authority
5. The external authenticating server validates the request and authenticates the user
6. The PVWA confirms the user’s identity to the Vault
7. The Vault grants the user access to the system
10
CYBERARK AUTHENTICATION
11
CYBERARK AUTHENTICATION
• The Vault uses a shared
secret (password)
• When a user logs on to
the Vault the client sends
a logon request
• The vault and the client
use two-way challenge-
response protocol
12
CYBERARK AUTHENTICATION
• The CyberArk internal
Password Policy is
configured in the
passparm.ini file
• Passparm.ini is stored
locally on the Vault server
and uploaded to the
System safe automatically
13
CYBERARK AUTHENTICATION
• Select the authentication
method for the internal
user and set the password
• Authentication method:
Password means
CyberArk authentication
14
CYBERARK AUTHENTICATION
• Enable “CyberArk”
authentication in the
PVWA as shown
• If this option is not
enabled, a user can still
authenticate to the Vault
via the PrivateArk Client
using CyberArk
Authentication
15
LDAP AUTHENTICATION
16
LDAP AUTHENTICATION
• The Vault transparently
supports User Accounts
and Groups of users
whose details are stored
externally in LDAP-
compliant or LDAP-
compatible directories.
• Users whose details are
stored in an LDAP-
compliant directory can
authenticate to the Vault
directly from the
PrivateArk Client or the
PVWA.
17
CONFIGURATION
1. Integrate the Vault with
the LDAP server using
PVWA
18
CONFIGURATION
1. Integrate the Vault with
the LDAP server using
PVWA
2. Set the user’s
Authentication Method
as LDAP
19
CONFIGURATION
1. Integrate the Vault with
the LDAP server using
PVWA
2. Set the user’s
Authentication Method
as LDAP
3. Enable “LDAP”
Authentication in the
PVWA
20
RADIUS AUTHENTICATION
21
RADIUS AUTHENTICATION
• Remote Authentication
Dial-In User Service
(RADIUS) is a networking
protocol that provides
centralized authentication,
Authorization and
Accounting (AAA).
• The Vault allows users to
log on through RADIUS
authentication using logon
credentials that are stored
in the RADIUS server. The
Vault also supports
RADIUS challenge-
response authentication if
enabled by the RADIUS
Administrator.
22
CONFIGURATION (1)
1. Create a file to store the
shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)
23
CONFIGURATION (2)
1. Create a file to store the
shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart
the PrivateArk Service
using the Windows
Services applet.
24
CONFIGURATION (3)
1. Create a file to store the
shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart
the PrivateArk Service
3. Set the user’s
Authentication Method
as “RADIUS”
25
CONFIGURATION (4)
1. Create a file to store the
shared secret with the
RADIUS server on the
vault (shared secret must
first be created on the
RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart the
PrivateArk Service
3. Set the user’s
Authentication Method as
“RADIUS”
4. Enable “RADIUS”
Authentication in the
PVWA
26
WINDOWS AUTHENTICATION
27
WINDOWS AUTHENTICATION
• In Windows
authentication, the client
browser sends a strongly
hashed version of the
password in a
cryptographic exchange to
the web server.
• In CyberArk, Windows
Authentication allows a
Single Sign On solution for
PVWA by authenticating to
the vault via the user’s
Windows credentials.
28
CONFIGURATION (2)
1. Enable “Windows”
authentication in the
PVWA
When “UseVaultAuthentication” is set to NO, the
authentication method set for the user in the
vault is ignored
29
CONFIGURATION (3)
1. Enable “Windows”
authentication in the
PVWA
2. For Single Sign-On
(SSO) add the PVWA
URL to the trusted sites
and enable ‘Automatic
logon with current
username and
password” in the
browser security
settings.
30
PKI AUTHENTICATION
31
PKI CONFIGURATION
• PKI (Public Key
Infrastructure) enables the
use of certificates in order
for servers and users to
identify each other and
establish a secure
connection.
• PKI Authentication allows
authentication for
CyberArk users via a User
Certificate that can stored
on a Smart or PIV card.
32
PKI CONFIGURATION
1. The infrastructure for
PKI must first be set in
place and users must be
issued with personal
certificates.
2. The digital certificate
can be stored on PIV or
Smartcards, USB tokens
or in the Windows
Certificate Store.
33
PKI CONFIGURATION
1. The infrastructure for
PKI must first be set in
place and users must be
issued with personal
certificates.
2. The digital certificate can
be stored on PIV or
Smartcards, USB tokens
or in the Windows
Certificate Store.
3. Enable “PKI”
authentication in the When “UseVaultAuthentication” is set to NO,
the authentication method set for the user in
PVWA
the vault is ignored
34
RSA SECURID
ORACLE SSO
SAML
GOOGLE AUTH
AMAZON COGNITO
35
RSA SECURID
• RSA SecurID authentication uses a token,
either hardware (key fob) or software (soft
token), which generates an authentication
code at fixed intervals.
• RSA SecureID can provide native 2FA to the
PVWA
Prerequisites:
• Install and configure RSA Web Agent on
PVWA server.
• Enable RSA authentication in PVWA
36
ORACLE SSO
• Oracle SSO Authentication enables PVWA
users to authenticate to the Vault using SSO
with the same identity they use across the
enterprise.
Prerequisites:
• Install and Configure OracleSSO on the PVWA
Server.
• Enable OracleSSO Authentication in PVWA
37
SAML
• Security Assertion Markup Language (SAML) is
an XML based open authentication framework
connecting multiple Identity Providers with
multiple Service Providers
• SAML authentication enables PVWA users to
benefit from an SSO workflow across multiple
domains.
• Services are provided by the Identity Provider
(IdP).
• The IdP handles authentication via its login page.
• Authentication occurs at the IdP (not the Vault).
Prerequisites:
• Configure SAML authentication in IIS.
• Enable SAML authentication in PVWA.
38
GOOGLE AUTHENTICATION
• Google authentication enables users to
authenticate to the Vault with a predefined
Google account, according to the
organizational policy
• Services are provided by Google Identity
Platform
• Uses secure OAuth 2.0
Prerequisites:
• Configure in In Google's Developers Console
• Install Google authentication and configure
oauth
• Configure access through the PVWA
39
AMAZON COGNITO AUTHENTICATION
• Using Amazon Cognito you can configure
multiple IdPs (SAML) for multiple domains.
Amazon Cognito serves as a gateway between
the PVWA and the different IdPs by routing the
authentication request to the specific IdP
based on the user's domain
• Before you configure Amazon Cognito in
PVWA you must first configure it in AWS
• Prerequisites:
• Create a user pool in Amazon Cognito
• Configure the IdPs
• Configure Amazon Cognito in PVWA
40
TWO FACTOR AUTHENTICATION
(2FA)
41
TWO FACTOR AUTHENTICATION
• Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity
by utilizing a combination of two different components (something a user knows; and something a
user has).
• Using two-factor authentication enables you to mitigate common credential theft techniques, such as
basic key loggers or more advanced attack tools that are capable of harvesting plaintext passwords.
• CyberArk recommends that customers deploy two-factor authentication to the CyberArk Digital Vault,
preferably over RADIUS protocol.
42
USING 2FA IN CYBERARK
• In the PVWA you can combine ONE PVWA method with ONE Vault Method to create a multi-factor
authentication, as shown in the table.
IIS Vault
PKI (certificate) LDAP (password)
Windows (password) RADIUS (token)
RSA (token) CyberArk (password)
• RADIUS and RSA secureID can provide native 2FA without having to combine two authentication
methods
43
EXAMPLE: PKI + LDAP (1)
Configure PKI as primary authentication method and LDAP as secondary authentication method
44
EXAMPLE: PKI + LDAP
• Configure PKI as primary
authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP
45
EXAMPLE: PKI + LDAP (3)
• Configure PKI as primary
authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP
• User chooses “User
Certificate” as the
authentication method
46
EXAMPLE: PKI + LDAP (4)
• Configure PKI as primary
authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP
• User chooses “User
Certificate” as the
authentication method
• After IIS authenticates the
user based on the user’s
personal certificate, the
user is also prompted for
their LDAP password
47
SUMMARY
48
SUMMARY
This session has covered:
• The various authentication methods supported by CyberArk
• How two factor authentication works in CyberArk
• Integration of CyberArk with external Authentication systems
49
QUIZ
1. How can I enable 2 factor authentication with CyberArk?
• Enable RADIUS. RADIUS is inherently 2 factor and is the only way to achieve 2 factor integration with PSMP.
• Combine a PVWA level authentication method with a Vault level authentication method, e.g., PKI + LDAP
2. What is the difference between Vault authentication and Vault Integrated authentication methods?
• With Vault authentication, the Digital Vault is the authenticating server.
• With Vault Integrated authentication, the Digital Vault sends the authentication request to the authenticating authority, such as a RADIUS
or LDAP server.
3. The RADIUS Administrator will define the Digital Vault Server as a RADIUS Client and assign a RADIUS Secret. How can
we provide the Digital Vault the RADIUS Secret to use to establish a secure connection to the RADIUS Server?
• A Vault Administrator must save the RADIUS Secret to an encrypted file on the Digital Vault, using the CAVaultManager utility, and
reference the encrypted file in the DBPARM.INI file.
4. I want my users to login using their digital certificates. How do I enable PKI and configure it as the default authentication
method?
• In the PVWA, navigate to Administration > Configuration Options > Options > Authentication Methods > PKI. Set the parameter Enabled =
Yes.
• In the PVWA, navigate to Administration > Configuration Options > Options > Authentication Methods > GeneralSettings. Set the
parameter DefaultMethod = pki (case sensitive).
5. What is the parameter UseVaultAuthentication?
• It is used to enforce two factor authentication. For example, if PKI is the default authentication method, configuring
UseVaultAuthentication = Yes, and UseLDAP = Yes requires the user to present their digital certificate and enter their LDAP user
password to authenticate to the vault. The corresponding transparent user found in the PrivateArk Client must be set to LDAP
authentication.
50
THANK YOU
51