Importing Identity Provider Metadata XML into CyberArk Configuration Console for SAML

After you configure your identity provider (IDP), you are ready to go back into the CyberArk Configuration Console to finalize the configuration. During this process, you will upload the IDP Metadata XML. This file contains configuration information that CyberArk Trust Protection Foundation - Self-Hosted needs to properly configure your SAML connection to the IDP.

This topic is part of Phase Three in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

To import IDP Metadata XML into CyberArk Trust Protection Foundation - Self-Hosted

  1. Use Remote Desktop to connect to your Trust Protection Foundation server, and open CyberArk Configuration Console.
  2. Click the Authentication node.
  3. Click the SAML component.
  4. In the Actions panel, click Properties.
  5. [Conditional] If requested, enter a master administrator username and password for CyberArk Trust Protection Foundation - Self-Hosted.
  6. [Conditional] If not previously selected, choose your IdP Vendor from the drop-down list.

  7. In the Export and import SAML metadata section, click Import identity provider file

  8. Browse to the location of the IdP SAML file on your system, click the file, then click Open.

  9. If your IDP support it, you can provide a Logout URL.

    If a value is not provided, you won't see a Logout link in the menu. Of the IDPs tested by CyberArk, only Azure supports logging out by URL.

    If there is no Logout link, users will close their browser to terminate a session.

  10. Click Save.

    The SAML Properties window closes.

  11. In the Actions panel, click Enable.

Managing the SAML certificate in TLS Protect

The IdP Metadata XML file contains a TLS certificate that is automatically enrolled in Certificate Manager - Self-Hosted at the monitoring level. This means you can see the SAML certificate in the policy tree, and you can see (and monitor) its expiration like you do for your other certificates.

The enrollment level is monitoring because Certificate Manager - Self-Hosted can't renew and provision a new certificate. To renew this certificate, you must export a new IdP Metadata XML file from your identity provider and upload it into the CyberArk Configuration Console. When you import a replacement IdP Metadata XML file, the old certificate is placed in the history of the new certificate.

The location of the certificate in the policy tree is shown in the SAML Properties panel after you upload your IdP Metadata XML.

What's Next

If everything is configured correctly, SAML authentication should now work. We recommend opening another browser or incognito window and open Aperture. You should be redirected to your IDP login page. If you enter valid credentials, you should be taken to Aperture.

If you are having troubles, check out some SAML troubleshooting tips.