> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CyberArk (SAML)

The CyberArk Identity SAML connector integrates the Maverics Orchestrator with CyberArk Identity using SAML 2.0 -- enabling enterprise single sign-on and privileged access management.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The CyberArk SAML connector uses the generic SAML connector in the Orchestrator configuration. CyberArk Identity exposes a standard SAML metadata endpoint, so no CyberArk-specific connector type is needed. For OIDC-based federation with CyberArk, see [CyberArk (OIDC)](/reference/orchestrator/identity-fabric/cyberark).

## Use Cases

* **Privileged access management** -- Extend CyberArk-managed identities to applications that lack native CyberArk support, unifying privileged and standard access under a single orchestration layer
* **Unify SSO across CyberArk and other IdPs** -- Federate SAML-based authentication with CyberArk Identity alongside other identity providers, delivering seamless access across cloud and on-premises applications
* **Legacy application modernization** -- Use SAML federation to connect CyberArk Identity with legacy applications that only support SAML or header-based authentication, without rewriting them
* **CyberArk failover with Continuity** -- Pair CyberArk Identity with a backup IdP to maintain authentication availability during CyberArk service disruptions

## Setup

<Tabs>
  <Tab title="Console UI">
    To create a CyberArk SAML connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **CyberArk (SAML)**.
    3. Enter a **Name** -- the friendly name for your CyberArk SAML provider.
    4. Enter the **Metadata URL** -- the URL of the CyberArk IdP's SAML metadata document.
    5. Enter the **Consumer Service (ACS) URL** -- the Assertion Consumer Service URL where CyberArk sends SAML responses.
    6. Enter the **Entity ID** -- the unique identifier for the Orchestrator as the SAML Service Provider.
    7. Optionally enter a **Logout Callback URL** for Single Logout (SLO) callback.
    8. Optionally enter the **SP Certificate Path** and **SP Private Key Path** for signing SAML requests.
    9. Optionally enable **IdP Initiated Login** to allow authentication flows started by CyberArk.
    10. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: cyberark-saml
        type: saml
        samlMetadataURL: "https://{{ env.CYBERARK_TENANT }}.id.cyberark.cloud/saml2/metadata"
        samlConsumerServiceURL: "https://orch.example.com/saml/callback"
        samlEntityID: "https://orch.example.com"
    ```

    ## Configuration Reference

    | Key                      | Type   | Required | Description                                               |
    | ------------------------ | ------ | -------- | --------------------------------------------------------- |
    | `name`                   | string | Yes      | Unique connector identifier referenced by app policies    |
    | `type`                   | string | Yes      | Must be `saml`                                            |
    | `samlMetadataURL`        | string | Yes      | URL to the CyberArk SAML metadata XML                     |
    | `samlConsumerServiceURL` | string | Yes      | Assertion Consumer Service (ACS) URL for SAML responses   |
    | `samlEntityID`           | string | No       | Service Provider entity ID                                |
    | `samlLogoutCallbackURL`  | string | No       | Logout callback URL for SAML single logout                |
    | `samlSPCertPath`         | string | No       | Path to the SP certificate file for signing SAML requests |
    | `samlSPKeyPath`          | string | No       | Path to the SP private key file for signing SAML requests |
    | `tls`                    | string | No       | Named TLS profile for metadata retrieval                  |

    For the complete field reference including health checks and IdP-initiated login, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the metadata URL is accessible** from the Orchestrator host -- ensure the CyberArk tenant name is correct
* **Ensure the ACS URL matches exactly** what is registered in CyberArk Identity
* **Check the entity ID** -- the `samlEntityID` must match the Service Provider identifier configured in CyberArk Identity

## Related Pages

<CardGroup cols={2}>
  <Card title="CyberArk (OIDC)" icon="vault" href="/reference/orchestrator/identity-fabric/cyberark">
    OIDC connector for CyberArk Identity
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Generic SAML" icon="file-shield" href="/reference/orchestrator/identity-fabric/custom-saml">
    Generic SAML 2.0 connector
  </Card>

  <Card title="Generic OIDC" icon="openid" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>
</CardGroup>
