>
    Strata Copilot
    Configure CyberArk as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Identity
    3. Authenticate Users with the Cloud Identity Engine
    4. Set Up a SAML 2.0 Authentication Type
    5. Configure CyberArk as an IdP in the Cloud Identity Engine
    Download PDF
    Identity

    Configure CyberArk as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure CyberArk as an IdP in the Cloud Identity Engine

    Set up the Cloud Identity Engine integration with CyberArk.
    Where Can I Use This?What Do I Need?
    • GlobalProtect
    • NGFW and Panorama
    • Prisma Access
    • Active Cloud Identity Engine account with required administrator rights
    • Cloud Identity Engine users who will access the CyberArk Identity User Portal through SSO have been added to CyberArk
    • PAN-OS 11.2 and later
    Configure CyberArk Identity as a SAML 2.0 IdP (identity provider) in the Cloud Identity Engine.
    Keep the Cloud Identity Engine and CyberArk Identity Admin portal windows open simultaneously to copy and paste settings between the two browser windows.
    1. Log in to the Cloud Identity Engine app.
    2. Add CyberArk as an authentication type.
      1. Select AuthenticationAuthentication Types, and then click Add New Authentication Type.
      2. Set Up a SAML 2.0 authentication type.
      3. For Metadata Type, select Single service provider metadata.
      4. Copy the EntityID and Assertion Consumer Service URL, and then click Download SP Certificate to save a copy of the service provider certificate.
        Alternatively, you can Download SP Metadata.
        Save this information in a secure place. You will need it to complete the service provider configuration in CyberArk Identity Administration portal.
    3. Configure an Identity Provider Profile.
      1. For Profile Name, enter CyberArk.
      2. For Identity Provider Vendor, select CyberArk.
      3. Add Metadata manually or using the IdP metadata file from CyberArk.
        To acquire the metadata, complete up to step 3.b in Configure the Cloud Identity Engine Template for SSO in CyberArk.
        • To enter the metadata, select Enter Manually, and then provide the following:
          • Identity Provider ID—The IdP Entity ID / Issuer from CyberArk
          • Identity Provider Certificate—Upload the Signing Certificate from CyberArk
          • Identity Provider SSO URL—The Single Sign On URL from CyberArk
        • To upload the IdP metadata file, select Upload Metadata, and then drag and drop the file or Browse files.
      4. (Optional) Select an HTTP Binding for SSO Request to Identity Provider method to use for the SAML binding.
        This allows the firewall and IdP to exchange request and response messages.
        • HTTP Redirect—Transmit SAML messages through URL parameters
        • HTTP Post—Transmit SAML messages using base64-encoded HTML
      5. Specify the Maximum Clock Skew (seconds) (default is 60; range is 1–900).
        Maximum Clock Skew is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages. If the difference exceeds this value, authentication fails.
      6. (Optional) Force Authentication.
        When you enable this option, CyberArk prompts users for credentials for every authentication attempt, even if they have an active single sign-on (SSO) session.
    4. Verify your Identity Provider profile configuration.
      This step confirms that your NGFW and CyberArk can communicate.
      If you do not provide the vendor information, the SAML test passes so you can still submit the configuration.
      1. In the Test SAML and Attributes section, click Test SAML Setup.
        This redirects you to the CyberArk Identity Provider settings and initiates testing. After successful authentication, the configured username and any other IdP attributes populate in the Test SAML and Attributes window. Only the UserName attribute is mandatory.
      2. Submit your changes.
    5. Set up an Authentication profile to define how the Cloud Identity Engine authenticates users.

    Configure the Cloud Identity Engine Template for SSO in CyberArk

    Configure the Cloud Identity Engine application template in the CyberArk Identity Administration portal to enable service provider-initiated and identity provider-initiated single sign-on (SSO) to the CyberArk Identity User Portal.
    1. Log in to the CyberArk Identity Administration portal.
    2. Add the Cloud Identity Engine web app template.
      1. Select Apps & WidgetsWeb Apps, and then click Add Web Apps.
      2. Search for Palo Alto Networks CIE, and then click Add.
      3. Add the Palo Alto Networks CIE web app, and then click Yes to confirm.
      4. Close the app catalog.
        The Palo Alto Networks CIE template opens to its prepopulated Settings page.
    3. Configure Trust settings.
      1. On the sidebar, select Trust.
      2. In the Identity Provider Configuration section, collect the CyberArk Identity metadata.
        Save the metadata in a secure location. You will need this information to configure the Identity Provider Profile in the Cloud Identity Engine app.
        • To populate the profile using an IdP metadata file, select Metadata, and then click Download Metadata File.
        • To enter the metadata, select Manual Configuration. Copy the IdP Entity ID / Issuer and Single Sign On URL, and then Download the Signing Certificate.
      3. In the Service Provider Configuration section, provide the Cloud Identity Engine metadata.
        • To use the SP metadata file, select Metadata, and then upload the File you downloaded from the Cloud Identity Engine.
          The metadata auto-populates.
        • To enter the SP metadata, select Manual Configuration, and then provide the following:
          • SP Entity ID / SP Issuer / Audience—The Entity ID from the Cloud Identity Engine
          • Assertion Consumer Service (ACS) URL—The Assertion Consumer Service URL from the Cloud Identity Engine
      4. Validate the metadata, and then Save the configuration.
    4. Configure the SAML response.
      1. On the sidebar, select SAML Response.
      2. In the Attributes section, verify that the Attribute Name maps to the correct Attribute Value.
        Specifically, verify that the Login Attribute Name maps to the LoginUser.Email Attribute Value.
        Attributes are case-sensitive.
      3. (Optional) To map other attributes you want to pass in the SAML response, click Add.
      4. Save the configuration.
    5. Define permissions for Cloud Identity Engine users, groups, or roles who will access the CyberArk Identity User Portal.
      Assigning permissions grants SSO access to the selected users, groups, or roles.
      One user must be an administrator who is mapped to the attribute. The user must already exist in CLICDATA.
      1. On the sidebar, select Permissions, and then click Add.
      2. Select the users, groups, or roles to grant SSO access, and then click Add.
        The added object appears on the Permissions page with View, Run, and Automatically Deploy permissions selected by default.
      3. Enable permissions for each user, group, or role, and then click Save.
        You can change the permissions to add additional control or if you prefer not to automatically deploy the application.
    6. Review the settings, and then Save your configuration.
    7. Test the Cloud Identity Engine SSO configuration.
      • To test IdP-initiated SSO:
        1. Sign in to the CyberArk Identity User Portal with a user account you just added.
        2. Click the Palo Alto Networks CIE application tile to launch the Cloud Identity Engine in a new tab and automatically sign in.
      • To test SP-initiated SSO:
        1. Visit your organization's Cloud Identity Engine SSO URL.
        2. Sign in with your Identity Provider.
          This redirects you to the CyberArk Identity User Portal. After successfully authenticating to the IdP, you are redirected back to the Cloud Identity Engine.

    © 2026 Palo Alto Networks, Inc. All rights reserved.