SSO AuthenticationSAML 2.0
CyberArk Identity
Configure CyberArk Identity as a SAML 2.0 identity provider for Safeguard.
CyberArk Identity
- In the CyberArk Identity Admin Portal, go to Apps & Widgets → Web Apps → Add Web Apps → Custom → SAML.
- Under Trust, set SP Entity ID to the SP Entity ID Safeguard shows after Save, and Assertion Consumer Service URL to the ACS URL Safeguard shows after Save.
- Set NameID Format to Email Address, with the NameID value resolving to the user's email.
- Under SAML Response → Attributes, add an attribute named
emailresolving to the user's email — separate from the NameID Format/value setting above. - Copy the IdP Issuer URL and SSO endpoint, and download the IdP Certificate, from the app's Trust tab.
- In Safeguard, click Add Provider → SAML 2.0 → CyberArk Identity, and enter those three values.
- Assign the application to the appropriate Roles under the app's Permissions tab.
- Click Test in Safeguard to confirm.
Common errors: sign-in looping back to CyberArk usually means the NameID value variable is misconfigured (it must resolve to an actual email, not a bare username).