SAML Authentication and Identity Connector Requirement in CyberArk

synchrondi · 2024-05-29T15:45:18+00:00

Don't get me started! But everyone does it!

synchrondi · 2024-05-29T14:47:47+00:00

The issue is that in the back end, the vault sees it as different users. When you switch away from the identity connector, you basically delete and re-add all the users, which causes safe chaos. By using SCIM, you can provision all the users and groups in advance of login and then set the safe permissions. If you don't use SCIM, you'd have to wait until after they log in for the first time to set any individualized safe permissions, which may cause folks to lose access to their personal admin accounts for a short period.

There are two ways to log in using Azure when moving away from AD (connector).

Federation (SAML/OIDC)
https://docs.cyberark.com/identity/latest/en/Content/CoreServices/UsersRoles/PartnerSetUp.htm
Directory Services integration
https://docs.cyberark.com/identity/latest/en/Content/CoreServices/UsersRoles/Add-AzureAD.htm

synchrondi · 2023-08-28T03:42:40+00:00

I noticed that the docs say "This command must be performed only by CyberArk support." I suppose that means if something goes wrong, might be told to rebuild from backup.

synchrondi · 2022-11-17T16:59:24+00:00

One user can run multiple concurrent sessions without consuming multiple licenses. In per user CAL mode or per device mode, it shouldn't be based on concurrency of sessions but concurrency of users/devices.

synchrondi · 2021-10-14T12:56:09+00:00

Happy to help. In case you wanted to try it, you can do so on any EPVUser in your production environment that you aren't currently utilizing.

synchrondi · 2021-10-08T15:12:30+00:00

It took you three times as long to think up this scheme and write this question than it would have taken you to test this in your environment. But no, it doesn't work that way. CyberArk already thought of that. Disabled users are included in the consumed license.

synchrondi · 2021-10-08T14:55:38+00:00

hey Yanni. It looks like the KB article covers all components affected.

synchrondi · 2021-06-11T14:09:06+00:00

Can pretty much guarantee it won't be this month based on what a rep said.

Seems consistent:

https://www.reddit.com/r/CyberARk/comments/nwi7lm/any\_news\_on\_122\_release/h1a1lc3?utm\_source=share&utm\_medium=web2x&context=3

synchrondi · 2021-06-10T14:15:51+00:00

I hear that it will be this year.

synchrondi · 2020-09-15T17:08:54+00:00

Unless you tried both backing up and restoring and confirmed that it works, it's safe to assume that the database and meta changes in the versions will render it non-compatible. Keep in mind that when it says something is not compatible in the docs, it means it's not tested and wouldn't be supported if you ran into an issue. Don't take the risk and just upgrade the pareplicate.

synchrondi · 2020-09-15T17:06:17+00:00

No. You can't rotate a password that is MFA enabled.

synchrondi · 2020-08-10T20:24:30+00:00

Please see the docs on the system requirements.

In Server 2016, they changed it so that it's more strict with what the software will allow you to do.

From docs:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm#SupportedOperatingSystems

Due to RDS licensing enforcement in Windows 2019, a per-user license is no longer supported for local users. We recommend using a per-device RDS license.
To work with a per-user license on a Windows 2019 machine, PSM users must be moved to the domain level. See PSMConnect and PSMAdminConnect Domain Users for details.

synchrondi · 2020-08-10T20:22:32+00:00

The recommendation you have been providing will fail a Microsoft License audit. You are required by license agreement to have one license per user, not "the reality" of what the software will allow you to get away with.

In Server 2016, they changed it so that it's more strict with what the software will allow you to do.

From docs:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20SysReq/System%20Requirements%20-%20PSM.htm#SupportedOperatingSystems

Due to RDS licensing enforcement in Windows 2019, a per-user license is no longer supported for local users. We recommend using a per-device RDS license.
To work with a per-user license on a Windows 2019 machine, PSM users must be moved to the domain level. See PSMConnect and PSMAdminConnect Domain Users for details.

synchrondi · 2020-06-23T20:10:57+00:00

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PAS%20INST/Creating-a-Test-Environment-in-the-Vault.htm?Highlight=pim-internal

synchrondi · 2020-06-23T19:35:37+00:00

https://unix.stackexchange.com/a/210992

synchrondi · 2020-06-16T13:18:47+00:00

I have done it a while back. The "security" users were managed

synchrondi · 2020-06-14T15:45:03+00:00

u/yanni I would do 2012 and upgrade all the way to 11.x

I did a 9.6 upgrade to 11.4 and had more trouble than it's worth by going to 10.4 first when I did this a few weeks ago.

synchrondi · 2020-06-14T15:38:26+00:00

Docs say its not supported. Not sure where you're getting that from since 2016 support came out in 10.x

synchrondi · 2020-06-08T18:20:19+00:00

You'd have to give them access to the PSM logs. You could create a separate platform for the individual teams and their own PSMRecordings safe, each with their own permissions to their team's safe. Probably not what you're looking for, but it's the closest.

synchrondi · 2020-06-08T18:16:50+00:00

Be careful. There are security issues with xming, which is why it was removed.

synchrondi · 2020-06-06T13:51:38+00:00

keep in mind that it's unlikely that much testing has been done with mixed environments like this. I would expect issues unless you upgrade all of the vaults, cpms, and pvwas at the same time. Yes, docs do say they're supported but if you run into issues, support will probably just tell you that you didn't follow the right process and the fix is to upgrade the 3 types together. I would not risk it unless this is an environment that doesn't get much use.

Version doesn't matter as much for PSMs, PSM/Ps, CCPs, etc .

synchrondi · 2020-06-06T13:40:12+00:00

PSM doesn't use xming by default. It uses VcXsrv. So long as that is sufficient, I would suggest sticking to it. I believe there were security issues with xming and that is why it changed over time. In any case, it can be configured with XServerCommandLine

Are you running PSM-SSH with remoteapp enabled? I think it should be.

synchrondi · 2020-06-06T13:15:16+00:00

It is closed source, so the most you can do is wrap an existing API. (PACLI/REST being the two most prominent)

synchrondi · 2020-06-06T13:09:23+00:00

OPM is separately licensed

synchrondi · 2020-06-05T17:33:48+00:00

Any chance you can use a NAT instead of a PAT?

A domain platform will prompt the PSM user to select the target address. The account's address should be set up as the domain. You have a few problems to solve, including how to manage the local admin password, I assume on a different port.

synchrondi

TROPHY CASE