Configuring SSO login buttons

You can customize the main Trust Protection Foundation login screen by adding dedicated Single Sign-On (SSO) shortcut buttons for your identity providers (for example, "Log in with Okta" or "Log in with Microsoft Entra ID"). These SSO buttons are convenient shortcuts. Users do not need to click an SSO button to successfully authenticate via an identity provider.

If a user simply types their username into the standard login field and clicks Continue, Trust Protection Foundation automatically determines which identity connector manages that user and checks how their credentials should be verified. If their connector is configured for delegated authentication, the system automatically redirects the user to the correct OIDC or SAML provider. Users do not need to understand which connector or routing protocol applies to them.

To add an SSO button to the login screen

You configure these shortcut buttons directly on the identity connector itself.

  1. On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
  2. In the center Platform Connectors panel, select the identity connector you want to configure.
  3. In the Actions panel, click Properties.
  4. Select the Single Sign-On tab.
  5. From the SSO Provider drop-down list, select your identity provider vendor (for example, Okta or Microsoft Entra ID). The system uses this selection to determine which vendor icon to display on the button. If your vendor is not listed, select Other.
  6. In the Display as field, type the exact text you want to appear on the button (for example, Log in with Entra ID).
  7. Click Apply, and then click OK to save your changes.

When users navigate to the web console, they will now see your custom SSO button displayed below the standard username login field.

NOTE  Prefix-based usernames, such as scim+saml:username, remain fully supported for advanced routing scenarios if needed.

If you want users to bypass the Trust Protection Foundation login screen entirely, you can configure your system to accept Identity Provider-initiated (IdP-initiated) login flows so users can launch the application directly from your provider's dashboard, or you can set up Integrated MS Windows Authentication for automatic, seamless login.

How multiple SSO buttons affect the login experience

Trust Protection Foundation supports concurrent connections to multiple SSO providers. If you add multiple SSO buttons to the login screen (for example, one for CyberArk Identity and one for Microsoft Entra ID), users can click the button corresponding to their specific provider to initiate a forced identity selection flow.

However, users are not required to do this. If a user does not know which button to click, they can simply type their username into the main field and click Continue. The system will automatically perform Home Realm Discovery, determine which identity connector handles their account, and automatically route them to the correct external provider.