The CyberArk integration supports both CyberArk Identity (cloud SSO/MFA) and CyberArk Privileged Access Manager (PAM/Vault) as a SAML 2.0 identity provider for biometric authentication.
Integration type
Auth/IDP
Overview
1Kosmos integrates with CyberArk across two primary product lines: CyberArk Identity (formerly Idaptive), which is a cloud-based identity platform for SSO and MFA, and CyberArk Privileged Access Manager (PAM), which includes the CyberArk Vault and PVWA for managing privileged credentials. Both support SAML 2.0 for external identity provider integration.
What we solve
CyberArk customers need stronger assurance that privileged users accessing Identity or PAM/Vault resources are the legitimate individuals—not someone using stolen credentials—and need a way to trigger re-verification for high-risk privileged actions. This integration configures 1Kosmos as the SAML 2.0 identity provider for CyberArk Identity and/or PVWA so users authenticate biometrically, with optional NIST IAL2 identity verification escalation via RequestedAuthnContext for sensitive privileged access requests.
For CyberArk Identity, 1Kosmos is configured as the SAML identity provider through the CyberArk Identity Administration portal. For CyberArk PAM / PVWA, SAML authentication is configured by modifying the SAML configuration files on the PAM server. In both cases, 1Kosmos biometric authentication replaces the password at login, and the IDV capability allows organizations to trigger identity re-verification for high-risk privileged access requests using the SAML RequestedAuthnContext mechanism.
1Kosmos delivers NIST IAL2-level identity assurance when IDV is configured, ensuring the user behind a privileged session is the verified individual enrolled in the system.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal with IDV enabled if identity verification is required. Contact 1kosmos.com/contact if not yet provisioned.
CyberArk Identity or PAM administrator access: Admin rights to the CyberArk Identity Administration portal (for CyberArk Identity) or PVWA system administrator access (for CyberArk PAM).
CyberArk PAM version compatibility: SAML SSO for PVWA requires CyberArk PAM 11.3 or later. Confirm your version supports SAML from CyberArk documentation at docs.cyberark.com.
User accounts in both systems: Users must exist in both 1Kosmos and the CyberArk product with matching email addresses before testing.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for CyberArk:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Values to collect from CyberArk (SP) for AdminX:
Product | Where to find SP values |
|---|---|
CyberArk Identity | CyberArk Identity Admin Portal → Apps → Add Web Apps → Custom (SAML) → Trust tab → Service Provider Entity ID and ACS URL fields |
CyberArk PAM (PVWA) | PVWA SAML configuration files (saml.config or web.config) or via the CyberArk Identity connector configuration. Contact CyberArk support for SP metadata if needed. |
Integration steps
Step 1: Add 1Kosmos as a SAML application in CyberArk Identity
Log in to the CyberArk Identity Administration portal and navigate to Apps.
Click Add Web Apps and select Custom → SAML. Enter "1Kosmos" as the application name.
On the Trust tab, select Identity Provider Configuration and choose Metadata. Paste the 1Kosmos metadata URL or upload the metadata XML file.
Note the Service Provider Entity ID and ACS URL displayed on the Trust tab for use in AdminX.
Configure attribute mappings under the SAML Response tab: map email to the SAML_SUBJECT, first name to FirstName, and last name to LastName. Save the application.
Step 2: Configure CyberArk PAM PVWA for SAML (PAM deployments)
On the CyberArk PAM server, navigate to the PVWA installation directory and locate the SAML configuration file (typically
saml.configor configured via the PVWA web.config).Enter the 1Kosmos SSO URL as the IdP SSO endpoint, the 1Kosmos Entity ID as the IdP Issuer, and install the 1Kosmos signing certificate as the trusted IdP certificate.
Set the SP Entity ID and ACS URL to the PVWA SAML endpoint values. These are typically in the format
https://[pvwa-hostname]/PasswordVault/SAML.Restart the PVWA service after saving the configuration.
Step 3: Add CyberArk as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "CyberArk Identity" or "CyberArk PAM" as the Application Name, enter the CyberArk login URL as the Application Access URL. Click Next.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail. Add claims for email, FirstName, and LastName. Click Next.Enter the CyberArk SP Entity ID and ACS URL. Enable Assertion signing and click Save.
Step 4: Configure IDV (optional, for identity re-verification)
In AdminX, navigate to the CyberArk SAML application and edit the Claims Mapping section.
Add an
ialclaim mapped to the IAL ledger attribute to support identity assurance level signaling.On the CyberArk side, configure the application or policy to include with
urn:oasis:names:tc:SAML:2.0:ac:classes:IAL2when triggering an identity re-verification step for sensitive privileged actions.
Step 5: Test the integration
Navigate to the CyberArk Identity portal or PVWA login page and initiate SSO login.
Confirm you are redirected to 1Kosmos. Authenticate biometrically using the 1Kosmos mobile app.
Confirm you are returned to CyberArk with appropriate role assignments and privileged access entitlements.
Attribute mappings
Source (1Kosmos) | Target (CyberArk) | Description |
|---|---|---|
user.email | SAML_SUBJECT / NameID | Primary user identifier |
user.firstName | FirstName | User first name |
user.lastName | LastName | User last name |
ial (optional) | IAL claim | Identity assurance level for IDV re-verification triggers |
Integration notes
CyberArk Identity and CyberArk PAM are separate products with distinct SAML configuration paths.
If your organization uses both, each requires its own SAML application entry in AdminX. For CyberArk PAM, the PVWA SAML configuration is file-based and requires a server restart after changes, which distinguishes it from the cloud-based CyberArk Identity configuration.
The IDV capability allows organizations to escalate authentication assurance for sensitive privileged operations without requiring a separate product deployment; the same 1Kosmos session handles both standard login and re-verification flows.
