Using CyberArk as Your Identity Provider

To integrate with CyberArk, add a SAML application in your CyberArk account and in the Command Center. Metadata from the CyberArk application is shared with the Command Center application during this process.

CyberArk is a third-party identity provider (IdP) that can act as the IdP when your users log on to Commvault Cloud. Commvault Cloud is the service provider (SP).

Before You Begin

If you need to create a SAML app for a specific company, in the upper-right corner of the page, from the Select a company list, select the company that you want to create the SAML app for.

Step 1: Create an Application in CyberArk

1. Login to the CyberArk Admin Portal.

2. From the navigation pane, go to Apps & Widgets > Add Web Apps.
   The Add Web Apps dialog box appears.

3. On the Custom tab, click SAML.
   The Add Web App dialog appears.

4. Click Yes.
   The SAML app page appears:

   • On the Settings tab, enter the SAML app details such as name and category.
   • On the Trust tab:
     • In the Identity Provider Configuration section, download the metadata file.
       The metadata file that you download is the IdP metadata file that you will upload to Commvault Cloud.

5. Remain on the SAML app page.
   You must upload the SP metadata file created in Commvault Cloud to your CyberArk app from the SAML app page.

Step 2: Create a SAML Application in Commvault Cloud

1. From the navigation pane, go to Manage > Security. The Security page appears.

2. Click Identity servers. The Identity servers page appears.

3. On the top right corner of the page, click Add > SAML. The Add SAML app page appears.

4. On the General tab, in the Name box, enter the domain name or any string.

5. Click Next.

6. On the Identity provider metadata tab, in the Upload IDP metadata box, browse to the downloaded XML file from Step 1 that contains the IdP metadata, and then click Open.

   The Entity ID and the Redirect URL from the file are displayed.

7. Click Next.

8. On the Service provider metadata tab, review the value in the Service provider endpoint box.

   This value is automatically generated and is used in the SP metadata file. The format of the value is https://mycompany:443/identity.

9. To digitally sign the SAML message, move the Auto generate key for digital signing of SAML messages toggle key to the right.

10. Click Next.

11. On the Associations tab, identify the users who can log on using SAML:

    • To identify users by their email addresses, in the Email suffixes box enter an email suffix, and then click Add.

      Note

      You must use an email suffix as specified in the SAML integration settings to avoid integration issues.

      If you face SAML integration issues, use a break glass account. The break glass account must be on a different domain than that of the current domain.

    • To identify users by the companies they are associated with, from the Companies list, select a company, and then click Add.

    • To identify users by the domains they are associated with, from the Domains list, select a domain, and then click Add.

    • To identify users by the user groups they are in, from the User groups list, select a user group, and then click Add.

      Note

      • If you migrate from an Exchange On-premises server to an Exchange Online server, you must add the appropriate domain and user group.

      • You can add any combination of associations, and you can add multiple associations in each category.

12. Click Next.

    The Connectivity Test screen appears.

13. Click Download SP metadata.
    The SP metadata file must be uploaded to the Azure portal.

14. Click Finish.

Step 3: Upload the SP Metadata to CyberArk

1. On the SAML app page, on the Trust tab:

2. In the Service Provider Configuration section, click Choose File.

3. Click Save.

4. On the Account Mapping tab, under Directory Service Field, enter mail, and then click Save.

5. On the Permissions tab, enter the users and user groups and select their associated permissions.
   The CyberArk SAML application is deployed.

Step 4: Test the Connection

1. From the navigation pane, go to Manage > Security.
   The Security page appears.

2. Click Identity servers. The Identity servers page appears.

3. Click the SAML app. The SAML app page appears.

4. On the General tab, in the General section:

   1. click Test login. A browser window appears.

   2. Enter the email and password for a user to test the SAML login.

   3. Close the browser window.
      After the test login is successful, the SAML app will be enabled in the Command Center.