Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

CyberArk Identity

Configure CyberArk Identity as a SAML 2.0 identity provider for Safeguard.

CyberArk Identity

  1. In the CyberArk Identity Admin Portal, go to Apps & Widgets → Web Apps → Add Web Apps → Custom → SAML.
  2. Under Trust, set SP Entity ID to the SP Entity ID Safeguard shows after Save, and Assertion Consumer Service URL to the ACS URL Safeguard shows after Save.
  3. Set NameID Format to Email Address, with the NameID value resolving to the user's email.
  4. Under SAML Response → Attributes, add an attribute named email resolving to the user's email — separate from the NameID Format/value setting above.
  5. Copy the IdP Issuer URL and SSO endpoint, and download the IdP Certificate, from the app's Trust tab.
  6. In Safeguard, click Add Provider → SAML 2.0 → CyberArk Identity, and enter those three values.
  7. Assign the application to the appropriate Roles under the app's Permissions tab.
  8. Click Test in Safeguard to confirm.

Common errors: sign-in looping back to CyberArk usually means the NameID value variable is misconfigured (it must resolve to an actual email, not a bare username).

On this page