CYBERARK UNIVERSITY

AUTHENTICATION METHODS

CyberArk Training
1
OBJECTIVES
By the end of this session you will be able to:
• Describe the different authentication methods supported by CyberArk
• Describe how two factor authentication can implemented in CyberArk
• Configure and combine different authentication methods

2
OVERVIEW

3 3
SUPPORTED AUTHENTICATION METHODS

• CyberArk supports the following authentication methods:

• CyberArk
• LDAP
• RADIUS
• Windows
• PKI
• RSA
• OracleSSO
• SAML

• Not all authentication methods are supported on all user interfaces.

• Some authentication methods may require installing a 3rd party agent.

4 4
SUPPORTED AUTHENTICATION METHODS

PrivateArk RDP Proxy /

PVWA
Client SSH Proxy
CyberArk X X X
LDAP X X X
RADIUS X X X
Windows X X
RSA X X
PKI X X
OracleSSO X
SAML X

5
PVWA AUTHENTICATION

6
AUTHENTICATION CLASSIFICATION

Authentication via PVWA can be divided into 3 classifications:

CyberArk Authentication • The PVWA sends details to the Vault, which performs the authentication.

Vault Integrated • The PVWA sends the credentials to the Vault, which in turn authenticates
External Authentication the user against the external authentication servers.

• The PVWA sends the credentials to the server’s IIS service. IIS Authenticates
IIS Integrated
the user with the external server, and confirms authentication to the PVWA
External Authentication web application, which confirms authentication to the vault.

7
CYBERARK AUTHENTICATION FLOW

1 4
PVWA
2 App 3
End User
PVWA IIS Vault
Browser
Server

1. User chooses the relevant authentication method in the PVWA

2. User sends authentication details: Username and Password

3. The PVWA Application sends authentication type and credential

details to the Vault

4. The Vault verifies the user’s identity and grants the user access
to the system

8 8
VAULT INTEGRATED AUTHENTICATION FLOW

3 6
1 5
PVWA
2 App 4
End User External
PVWA IIS Vault Authentication
Browser
Server Server

1. User chooses the relevant authentication method in the PVWA

2. User sends authentication details: Username and Password/Token
3. The PVWA Application sends the authentication type and credentials to
the Vault
4. The Vault sends a request to the external server containing the user’s
credentials
5. The external server verifies the user’s identity
6. The Vault grants the user access to the system

9
IIS INTEGRATED AUTHENTICATION FLOW
6

1 7 5
PVWA
App
3 External
End User 2 PVWA IIS Vault Authentication
Browser
Server Server

1. User chooses the relevant authentication method in the PVWA

2. User sends authentication details: Username and Password/Token/Certificate
3. The PVWA Application sends the authentication type and credentials to the IIS service
4. IIS sends a request to the external server containing the user’s credentials
5. The external server verifies the user’s identity
6. The PVWA confirms the user’s identity to the Vault
7. The Vault grants the user access to the system

10
PVWA AUTHENTICATION: INTERMEDIATE SUMMARY

IIS Integrated Vault Integrated

CyberArk X
LDAP X
RADIUS X
Windows X
RSA X
PKI X
OracleSSO X
SAML X

11
CYBERARK AUTHENTICATION

12
CYBERARK AUTHENTICATION

• The Vault uses a shared

secret (password) in order
for the Vault to identify a
user. When a user logs on
to the Vault, the client
sends a logon request to
the vault. The vault and
the client use the two-way
challenge-response
protocol to prove to each
other that they know the
shared secret.
• The Vault can enforce a
password policy to avoid
usage of passwords that
can be easily guessed.

13
CONFIGURATION (1)

1. Set the CyberArk

internal Password Policy
in passparm.ini

14
CONFIGURATION (2)

1. Set the CyberArk

internal Password Policy
in passparm.ini
2. Set user’s Authentication
method as “Password”
and set the password

15
CONFIGURATION (3)

1. Set the CyberArk

internal Password Policy
in passparm.ini
2. Set user’s Authentication
method as “Password”
and set the password

3. Enable “CyberArk”
authentication in the
PVWA

16
LDAP AUTHENTICATION

17
LDAP AUTHENTICATION

• The Vault transparently

supports User Accounts
and Groups of users
whose details are stored
externally in LDAP-
compliant directories.
• Users whose details are
stored in an LDAP-
compliant directory can
authenticate to the Vault
directly from the
PrivateArk Client or the
PVWA.

18
CONFIGURATION (1)

1. Integrate the Vault with

the LDAP server using
PVWA

19
CONFIGURATION (2)

1. Integrate the Vault with

the LDAP server using
PVWA
2. Set the user’s
Authentication Method
as LDAP

20
CONFIGURATION (3)

1. Integrate the Vault with

the LDAP server using
PVWA
2. Set the user’s
Authentication Method
as LDAP

3. Enable “LDAP”
Authentication in the
PVWA

21
RADIUS AUTHENTICATION

22
RADIUS AUTHENTICATION

• Remote Authentication
Dial-In User Service
(RADIUS) is a networking
protocol that provides
centralized authentication
management for users
who connect and use a
network service.
• The Vault allows users to
log on through RADIUS
authentication using logon
credentials that are stored
in the RADIUS server. The
Vault also supports
RADIUS challenge-
response authentication.

23
CONFIGURATION (1)

1. Create a file to store the

shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)

24
CONFIGURATION (2)

1. Create a file to store the

shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart
the PrivateArk Service

25
CONFIGURATION (3)

1. Create a file to store the

shared secret with the
RADIUS server on the
vault (shared secret
must first be created on
the RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart
the PrivateArk Service

3. Set the user’s

Authentication Method
as “RADIUS”

26
CONFIGURATION (4)

1. Create a file to store the

shared secret with the
RADIUS server on the
vault (shared secret must
first be created on the
RADIUS side)
2. Add the RADIUS
configuration in
dbparm.ini and restart the
PrivateArk Service
3. Set the user’s
Authentication Method as
“RADIUS”
4. Enable “RADIUS”
Authentication in the
PVWA

27
WINDOWS AUTHENTICATION

28
WINDOWS AUTHENTICATION

• Windows authentication
(formerly named NTLM) is
a secure form of
authentication in a
Windows environment. In
Windows authentication,
the client browser sends a
strongly hashed version of
the password in a
cryptographic exchange to
the web server.
• In CyberArk, Windows
Authentication allows a
Single Sign On solution for
PVWA by authenticating to
the vault via the user’s
Windows credentials.

29
CONFIGURATION (1)

1. Enable Windows
authentication and
Forms authentication for
IIS (\<server
name>Sites\Default Web
Site\PasswordVault\auth\
windows)

30
CONFIGURATION (2)

1. Enable Windows
authentication and
Forms authentication for
IIS (\<server
name>Sites\Default Web
Site\PasswordVault\auth\
windows)
2. Enable “Windows”
authentication in the
PVWA

When “UseVaultAuthentication” is set to NO, the

authentication method set for the user in the
vault is ignored

31
CONFIGURATION (3)

1. Enable Windows
authentication and Forms
authentication for IIS
(\<server
name>Sites\Default Web
Site\PasswordVault\auth\
windows)
2. Enable “Windows”
authentication in the
PVWA
3. For Single Sign-On (SSO)
add the PVWA URL to the
trusted sites and enable
‘Automatic logon with
current username and
password” in the browser
security settings.

32
PKI AUTHENTICATION

33
PKI

• PKI (Public Key

Infrastructure) enables the
use of certificates in order
for servers and users to
identify each other and
establish a secure
connection. Amongst other
items, certificates contain
encryption values, or keys,
that are used for encrypting
and ensuring the integrity of
messages sent between the
two parties.

• PKI Authentication allows

authentication for CyberArk
users via a User Certificate.

34
CONFIGURATION (1)

1. The infrastructure for

PKI must first be set in
place and users must be
issued with personal
certificates.
2. The digital certificate
can be stored on PIV or
Smartcards, USB tokens
or in the Windows
Certificate Store.

35
CONFIGURATION (2)

1. The infrastructure for

PKI must first be set in
place and users must be
issued with personal
certificates.
2. Enable “PKI”
authentication in the
PVWA

When “UseVaultAuthentication” is set to NO,

the authentication method set for the user in
the vault is ignored

36
RSA SECUREID
ORACLESSO
SAML

37
RSA SECUREID

• RSA SecurID authentication uses a token,

either hardware (key fob) or software (soft
token), which generates an authentication
code at fixed intervals.
• RSA SecureID can provide native 2FA to the
PVWA

Prerequisites:
• Install and configure RSA Web Agent on
PVWA server.
• Enable RSA authentication in PVWA

38
ORACLESSO

• Oracle Identity Management (OIM) enables

organizations to manage the end-to-end
lifecycle of user identities across all enterprise
resources, including Single Sign-On (SSO) to
multiple web applications
• Oracle SSO Authentication enables PVWA
users to authenticate to the Vault using SSO
with the same identity they use across the
enterprise.

Prerequisites:
• Install and Configure OracleSSO on the PVWA
Server.
• Enable OracleSSO Authentication in PVWA

39
SAML

• Security Assertion Markup Language (SAML)

is an XML based open authentication
framework connecting multiple Identity
Providers with multiple Service Providers
• SAML authentication enables PVWA users to
benefit from an SSO workflow across multiple
domains.

Prerequisites:
• Configure SAML authentication in IIS.
• Enable SAML authentication in PVWA.

40
TWO FACTOR AUTHENTICATION
(2FA)

41
TWO FACTOR AUTHENTICATION
• Two-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity
by utilizing a combination of two different components (something a user knows; and something a
user has).
• Using two-factor authentication enables you to mitigate common credential theft techniques, such as
basic key loggers or more advanced attack tools that are capable of harvesting plaintext passwords.
• CyberArk recommends that customers deploy two-factor authentication to the CyberArk Digital Vault,
preferably over RADIUS protocol.

42
USING 2FA IN CYBERARK

• In the PVWA you can combine ONE PVWA method with ONE Vault Method to create a multi-factor
authentication, as shown in the table on the right.

IIS Vault
PKI (certificate) LDAP (password)
Windows (password) RADIUS (token)
RSA (token) CyberArk (password)

• RADIUS and RSA secureID can provide native 2FA without having to combine two authentication
methods

43
EXAMPLE: PKI + LDAP (1)

Configure PKI as primary authentication method and LDAP as secondary authentication method

44
EXAMPLE: PKI + LDAP (2)

• Configure PKI as primary

authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP

45
EXAMPLE: PKI + LDAP (3)

• Configure PKI as primary

authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP
• User chooses “User
Certificate” as the
authentication method

46
EXAMPLE: PKI + LDAP (4)

• Configure PKI as primary

authentication method and
LDAP as secondary
authentication method
• Set the user’s
authentication method as
LDAP
• User chooses “User
Certificate” as the
authentication method
• After IIS authenticates the
user based on the user’s
personal certificate, the
user is also prompted for
his or her LDAP password

47
SUMMARY

48
SUMMARY

This session has covered:

• The different authentication methods supported by CyberArk
• The way two factor and two step authentication works in CyberArk
• Integration of CyberArk with external Authentication systems

49
THANK YOU

50