Skip to main content
The CyberArk Identity SAML connector integrates the Maverics Orchestrator with CyberArk Identity using SAML 2.0 — enabling enterprise single sign-on and privileged access management.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The CyberArk SAML connector uses the generic SAML connector in the Orchestrator configuration. CyberArk Identity exposes a standard SAML metadata endpoint, so no CyberArk-specific connector type is needed. For OIDC-based federation with CyberArk, see CyberArk (OIDC).

Use Cases

  • Privileged access management — Extend CyberArk-managed identities to applications that lack native CyberArk support, unifying privileged and standard access under a single orchestration layer
  • Unify SSO across CyberArk and other IdPs — Federate SAML-based authentication with CyberArk Identity alongside other identity providers, delivering seamless access across cloud and on-premises applications
  • Legacy application modernization — Use SAML federation to connect CyberArk Identity with legacy applications that only support SAML or header-based authentication, without rewriting them
  • CyberArk failover with Continuity — Pair CyberArk Identity with a backup IdP to maintain authentication availability during CyberArk service disruptions

Configuration

To create a CyberArk SAML connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select CyberArk (SAML).
  3. Enter a Name — the friendly name for your CyberArk SAML provider.
  4. Enter the Metadata URL — the URL of the CyberArk IdP’s SAML metadata document.
  5. Enter the Consumer Service (ACS) URL — the Assertion Consumer Service URL where CyberArk sends SAML responses.
  6. Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
  7. Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
  8. Optionally enter the SP Certificate Path and SP Private Key Path for signing SAML requests.
  9. Optionally enable IdP Initiated Login to allow authentication flows started by CyberArk.
  10. Click Save.

Troubleshooting

  • Verify the metadata URL is accessible from the Orchestrator host — ensure the CyberArk tenant name is correct
  • Ensure the ACS URL matches exactly what is registered in CyberArk Identity
  • Check the entity ID — the samlEntityID must match the Service Provider identifier configured in CyberArk Identity

CyberArk (OIDC)

OIDC connector for CyberArk Identity

Identity Fabric

Overview of all identity providers

Generic SAML

Generic SAML 2.0 connector

Generic OIDC

Generic OpenID Connect connector