1Kosmos is listed in the CyberArk Community Marketplace and integrates with CyberArk Password Vault Web Access (PVWA) via SAML 2.0, replacing password-based privileged access with biometric login.
Integration type
Marketplace
Overview
1Kosmos is listed in the CyberArk Community Marketplace and integrates with CyberArk Password Vault Web Access (PVWA) via SAML 2.0, replacing password-based privileged access with biometric login.
This SAML integration is configured through CyberArk's PVWA web.config and saml.config files, where 1Kosmos IdP values are registered as the trusted identity provider.
On the 1Kosmos side, PVWA is added as a SAML service provider in the AdminX portal. Once configured, users who navigate to the PVWA URL are redirected to 1Kosmos for biometric authentication and returned to the vault interface.
For shared workstation environments, 1Kosmos extends the integration further through CyberArk vault-backed credential retrieval. Users authenticate biometrically on a shared workstation, and the 1Kosmos Windows Credential Provider retrieves the appropriate shared account credentials directly from the CyberArk vault without requiring the user to enter a password.
Prerequisites
Active 1Kosmos tenant: Community administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
CyberArk PAS version 10.8 or later: The SAML integration is supported on CyberArk PAS V10.8.0 and above. Confirm your version before proceeding.
Administrator access to PVWA server: Access to the Windows server hosting PVWA is required to edit the web.config and saml.config files.
CyberArk Community Marketplace account: Access to community.cyberark.com to review the 1Kosmos listing and access integration resources.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
For shared workstation scenarios: The 1Kosmos Windows Workstation Credential Provider must be installed on the shared workstations, and CyberArk must be configured with shared account entries for the relevant users.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for CyberArk PVWA:
Field | Where to find it |
|---|---|
IdP Single Sign-On URL (IdentityProviderLoginURL) | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID (Issuer) | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key. Save as a .cert file. |
Values to collect from CyberArk PVWA (SP) for AdminX:
Field | Description |
|---|---|
PVWA URL | Your organization's PVWA login URL, used as Application Access URL in AdminX |
SP Entity ID | Defined in the PVWA saml.config file as the PartnerIdentityProvider Name. You set this value when configuring PVWA, then mirror it in AdminX. |
ACS URL | Typically https://[pvwa-host]/PasswordVault/api/auth/saml (confirm from your CyberArk documentation) |
Integration steps
Step 1: Review the CyberArk Community Marketplace listing
Navigate to community.cyberark.com/marketplace and search for "1Kosmos."
Review the listing and download any available integration documentation or configuration templates before beginning setup.
Step 2: Configure 1Kosmos as the IdP in the PVWA web.config
On the Windows server hosting PVWA, locate the web.config file at the default path:
C:\inetpub\wwwroot\PasswordVault\web.configIn the appSettings section, set
UseNewSAMLSolutiontoYes.Set the
IdentityProviderLoginURLkey value to the 1Kosmos Single SignOn Service URL from AdminX.Save the file.
Step 3: Configure the saml.config file
Locate the saml.config file at the same installation directory:
C:\inetpub\wwwroot\PasswordVault\saml.configSet the
PartnerIdentityProvider Nameto the 1Kosmos IdP Entity ID from AdminX.Supply the 1Kosmos signing certificate public key in the Certificate field to allow PVWA to verify signed SAML assertions.
To support forced re-authentication on each PVWA session, add
forceAuthn="true"to the PartnerIdentityProvider element.Save the file and restart the IIS application pool for the PVWA site.
Step 4: Add PVWA as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "CyberArk PVWA" as the Application Name, set Instance to Production, and enter the PVWA login URL as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value toemail.Add claims mappings for
email(Username),firstname(first_name), andlastname(last_name). Click Next.Enter the PVWA SP Entity ID, set the ACS URL and Method to POST, enable Assertion signing, and click Save.
Step 5: Configure CyberArk authentication methods in the PVWA admin console
Log in to PVWA as an administrator and navigate to Administration → Configuration Options → Options.
Click Authentication Methods and select saml to enable SAML as an authentication method for PVWA.
Save the configuration.
Step 6: Test the integration
Navigate to the PVWA URL in a browser. You will be redirected to the 1Kosmos login screen.
Open the 1Kosmos mobile app, scan the QR code, and complete biometric authentication.
Confirm you are returned to PVWA as an authenticated user with access to the appropriate vault accounts.
Test with a single privileged user before enabling SAML as the default authentication method for the organization.
Attribute mappings
Source (1Kosmos) | Target (CyberArk PVWA) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Primary identifier; must match the CyberArk user account |
user.firstName | first_name | User first name |
user.lastName | last_name | User last name |
Integration notes
The saml.config and web.config changes must be replicated to every Windows server hosting a PVWA instance in clustered environments.
If your deployment has multiple PVWA nodes, apply the changes to each node individually and restart the IIS application pool on each.
For shared workstation deployments using the 1Kosmos Windows Credential Provider with CyberArk vault integration, the CyberArk Proxy component can be deployed to centralize API calls from all workstations to the vault, improving throughput and reducing per-workstation configuration overhead.
See the 1Kosmos shared account documentation at docs.1kosmos.com for the full Proxy configuration guide.
