Configuring single sign-on for an identity connector
By default, some identity connectors (like Active Directory or LDAP) verify credentials directly by asking the user for their local password. However, you can configure any identity connector to bypass local passwords and delegate authentication to a central identity provider using OpenID Connect (OIDC) or SAML.
Because Trust Protection Foundation manages authentication on a per-connector basis, you have complete flexibility. You can configure one connector to use OIDC, another to use SAML, and leave a third using local passwords, all running concurrently.
Review the following important considerations before you begin:
- Authentication requires prior identity provisioning; SAML and OpenID Connect (OIDC) are strictly used for credential verification; they do not provision users into the Trust Protection Foundation database.
- The system does not support "just-in-time" account creation during the SSO login process. If you configure a delegated authentication profile, the user must already exist in the system's local database (provisioned ahead of time via a SCIM connector, Active Directory, or as a local user) before they attempt to log in. If your identity provider authenticates a user who has not yet been pushed into the local database, the login will fail.
To configure delegated authentication
- On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
- In the center Platform Connectors panel, select the identity connector you want to configure (for example, your SCIM or Active Directory connector).
- In the Actions panel, click Properties.
- Select the Single Sign-On tab.
- From the SSO Provider drop-down list, select your central identity provider (for example, CyberArk Identity or Microsoft Entra ID). If your specific provider isn't listed, select Other.
- In the Display as field, enter the friendly text you want to appear on the optional SSO shortcut button on the main login screen.
- Select your authentication Method: OIDC or SAML.
Depending on your selected method, complete the specific provider configuration fields outlined in the following sections.
OpenID Connect (OIDC) configuration
OIDC is the recommended authentication method for modern identity integrations. Before filling out these fields, click the IdP Guidance... button at the bottom of the window. This provides you with the exact Sign-in and Sign-out redirect URIs that you must copy and paste into your identity provider's configuration portal to authorize the flow.
After setting up the application in your identity provider, complete the following fields:
| Field | Description |
|---|---|
| Client ID | The unique application identifier generated by your identity provider. |
| Client Secret | The secure client secret generated by your identity provider. |
| Authority URL | The base URL of your identity provider's authorization server. |
| Username | The specific OIDC token claim that contains the user's username (the default is preferred_username). This must match the username format expected by Trust Protection Foundation. |
| Audience | (Optional) The expected audience claim for the token, if your provider requires explicit validation. |
| Issuer | (Optional) The expected issuer URI of the token, if your provider requires explicit validation. |
SAML configuration
If you select SAML, you must establish a trust relationship between Trust Protection Foundation and your identity provider. You can click the Export Metadata... button to quickly generate an XML file containing the service provider details needed to configure your identity provider.
SAML technical requirements
- Before configuring your provider, ensure it aligns with the following Trust Protection Foundation constraints:
- Signatures: The system requires the entire SAML Response to be signed. Because some providers only sign the Assertion by default, you may need to explicitly configure your provider to sign the entire response. The system does not support signed authentication requests.
- Encryption: The system does not support encrypted SAML responses.
- Logout: The system does not support Single Log Out (SLO), but it does support a Logout URL if your provider allows logging out by visiting a specific link.
- Time sync: The system allows a clock skew of 180 seconds between the server and the identity provider.
-
Once your identity provider is configured, complete the following fields:
Field Description Metadata URL The URL where Trust Protection Foundation can retrieve your identity provider's SAML metadata. You can click Verify to test the connection. Note on dynamic updates: Trust Protection Foundation automatically polls this URL in the background to refresh your provider's endpoints and signing certificates based on the cacheDuration and validUntil attributes defined in the provider's XML file. If you need to force an immediate metadata sync, you can restart the web server (IIS). Entity ID The globally unique identifier for your identity provider. Single Sign-On URL The specific endpoint URL where Trust Protection Foundation will send SAML authentication requests. Signing Certificate The public certificate used to verify the signature on the SAML responses sent by your identity provider. Unsolicited AuthN requests permitted Select this checkbox if you want to allow identity provider-initiated (IdP-initiated) login flows. Username The specific SAML assertion attribute that contains the user's username (the default is username). - Click Apply, and then click OK to save your configuration.