Question about Integrating SailPoint with CyberArk Privileged Access Manager (Self-Hosted)

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

Hi,

A while ago (about 2 years ago) one of our team members had implemented a test configuration (a POC/prototype) of Sailpoint interacting/connecting with CyberArk PAM (see IdentityIQ for CyberArk Connector - Compass).

Now they want to implement a more complete integration and I found this:

The “Prerequisites” section links to information about configuring the CyberArk SCIM server (Configure the SCIM server), and that document mentions that Oauth2 is used to get a bearer token and then that token needs to be sent with the request to the SCIM server.

However, from the information that I’ve been able to find, from back when they did the first POC, Oauth2 was not involved back then.

So I am wondering, if anyone is familiar with this integration, has the SCIM side changed within the last 1-2 years, such that Oauth2 was not required earlier, but it is today?

Also, in the first paragraph of the 1st Sailpoint Reference, it refers to “A SailPoint Identity Security Cloud”. Would that information be relevant for IIQ (vs. “A SailPoint Identity Security Cloud”)?

Thanks,
Jim

Which PAM product and version are you using?
On-Prem (Self Hosted) or Privilege Cloud?

For On-prem (Self Hosted) look at The CyberArk SCIM Server

Hi Paul,

We are using self-hosted.

FYI, I had already mentioned that the link that I posted cited CyberArk SCIM server, but that same link also indicated that Oauth2 was used to authenticate to the SCIM server.

My question was about whether or not Oauth2 was the only/required authentication when integrating Sailpoint IIQ with CyberArk?

Part of the reason for my question is that we have CyberArk SCIM server setup from an earlier prototyping effort (~2 years ago), but the reference I posted (Integrating SailPoint with CyberArk Privileged Access Manager (Self-Hosted)) assumes Oauth2 and we currently don’t have an Oauth2 configuration setup.

I have the impression that the SCIM server accepts other types of authentication, so was hoping there was a way to get the integration (SP with CyberArk) working, without having to use Oauth2.

Thanks,
Jim

The latest Self-Hosted CyberArk SCIM Server is v1.3.5.

The username/password credential mechanism for access to the SCIM service is still available (default) as well as OAuth capabilities:

“The CyberArk SCIM now allows for authentication to happen without the use of
providing a username and password but relying on the use of a 3rd party
authentication solution to provide a secure connection to the SCIM api. Scope is
linked to a user by the SCIM Rights assigned to it in the authentication solution.”

For IIQ PAM Integration please review Privileged Account Management

CyberArk SCIM Server Implementation Guide-v1.0 July 2024.pdf (1.6 MB)

Hi Paul,

Thanks for the PDF and for the info about authentication!!

FYI, I was checking the SCIM server that they currently have installed, and from the SCIM server log, the version is “1.2.2”, so it is old :(…

It is also not listening and I am taking a look at that now… Will post back…

Jim

Paul,

So I’ve been trying to do some testing of the old SCIM server that I found and have come to conclusion that it is in really bad shape… I’ve been speaking to another colleague who was doing a lot of the CyberArk stuff and he’s been doing CA upgrade but he hasn’t been upgrading the SCIM stuff, so we suspect maybe some dependencies were deleted, so that 1.2.2 SCIM server is no longer viable.

So, we are going to have to start from scratch and install the newer 1.3.5(?) SCIM server for our CA integration work…

Given what you said about the the username/password authentication still be viable with the newer SCIM server, is it possible to do a similar Sailpoint integration with CyberArk but using username/password instead of Oauth2?

And, if the answer to that is “Yes” then is there similar document to the “Integrating Sailpoint…” document that I linked earlier, but using username/password instead of Oauth2?

Thanks!!

Jim

For IIQ integration with CyberArk please review the IIQ PAM Module documentation Privileged Account Management

In IIQ the “Privileged Access Management” application type can be configured with OAuth 2.0, API Token or Basic Authentication:

So depending on how you configured the SCIM server authentication you can match the application config.

Paul,

Ok, I’ve downloaded the 1.3.5 SCIM Server and have passed that to someone who’ll get it installed to replace the old/non-working 1.2.2 one. Then we will do as you suggest. I am not sure exactly when we’ll get there, but will post back here after that!!

Thanks again, esp. for your patience with all my questions!

Jim