Integrating Single Sign-On (SSO) with your enterprise platform is a critical step in ensuring seamless access and enhanced security for your users. CyberArk Identity, a comprehensive identity and access management solution with industry-leading privileged access capabilities, offers robust SSO functionality that enables organizations to secure and streamline authentication across their entire application ecosystem.
At Goodworld, we've built our platform to seamlessly integrate with CyberArk Identity SSO, ensuring a smooth and secure user experience. Here are the best practices for using and configuring the CyberArk integration.
1. Understand the Basics of CyberArk Identity SSO
Before diving into the configuration, it's essential to understand the fundamental concepts of CyberArk Identity SSO:
CyberArk Identity: The cloud-based identity and access management platform that provides comprehensive identity governance and privileged access management.
SSO: Allows users to sign in once and access multiple applications without having to re-authenticate.
OpenID Connect: Industry-standard protocol supported by CyberArk Identity for secure SSO integrations.
Adaptive Authentication: CyberArk's risk-based authentication that adjusts security requirements based on user behavior and context.
Privileged Access Integration: Seamless integration with CyberArk's privileged access management capabilities for enhanced security.
2. Prepare Your CyberArk Identity Environment
Set Up Your CyberArk Identity Tenant: If you don't have a CyberArk Identity tenant, contact CyberArk to establish your cloud environment.
Configure Your Domain: Ensure your organization's domain is properly configured and verified in CyberArk Identity.
Review User Directory: Confirm that your user directory (Active Directory, LDAP, or cloud directory) is properly synchronized with CyberArk Identity.
Security Policies: Review and configure your organization's authentication and authorization policies within CyberArk Identity.
3. Register the Goodworld Application
Navigate to CyberArk Identity Admin Portal: Access your CyberArk Identity administrative dashboard.
Create New Web Application: Go to "Applications" and select "Add Web Apps" then "Custom".
Enter Application Details:
Application Name: "Goodworld Platform"
Description: "Goodworld SSO integration for secure access"
Application URL: Your Goodworld platform URL
Logo: Upload your organization's logo (optional)
Configure Authentication Settings:
Authentication Method: OIDC (OpenID Connect)
Grant Types: Authorization Code
Response Types: Code
Post Logout Redirect URI: https://api.cheerfulgiving.com/logout/success
Set Up User Attributes: Configure the user claims that will be passed to Goodworld:
Email (required)
Given Name
Family Name
Unique Name
Groups (if using role-based access)
Configure Security Settings:
Token Lifetime: Set appropriate access and refresh token lifetimes
PKCE: Enable Proof Key for Code Exchange for enhanced security
Client Authentication: Configure client secret authentication
Collect Configuration Details: Document the following values:
Client ID
Client Secret
Tenant URL
Authorization Endpoint
Token Endpoint
UserInfo Endpoint
JWKS URI
4. Configure the Goodworld Platform
Access SSO Settings: In your Goodworld admin dashboard, navigate to the SSO configuration section.
Enter CyberArk Identity Details: Provide the configuration details from your CyberArk Identity setup:
Client ID
Client Secret
Tenant URL
Authorization Endpoint: https://[tenant].id.cyberark.cloud/oauth2/authorize
Token Endpoint: https://[tenant].id.cyberark.cloud/oauth2/token
UserInfo Endpoint: https://[tenant].id.cyberark.cloud/oauth2/userinfo
Configure Attribute Mapping: Map CyberArk Identity user attributes to Goodworld user fields:
Email → User Email
Given Name → First Name
Family Name → Last Name
Unique Name → User ID
Groups → User Roles (if applicable)
Enable SSO: Activate the CyberArk Identity SSO integration and save your configuration.
NOTE: 4.1 Using CyberArk Identity User Portal
If users will access Goodworld through the CyberArk Identity User Portal, additional configurations are required:
In Goodworld:
Enter a "Login Redirect URL" - this is where users will land when accessing Goodworld through the CyberArk Identity portal
Under "Fields to copy into CyberArk Identity", copy the value of "Application Launch URL"
In CyberArk Identity:
In the application configuration, update the "Launch URL" with the value copied from Goodworld
Configure the application icon and description for optimal user portal experience
Set appropriate application permissions and user assignments
5. Test the Integration
Perform Comprehensive Testing: Conduct thorough testing with multiple test scenarios:
Test SSO login flow from Goodworld login page
Test login through CyberArk Identity User Portal (if configured)
Verify user attributes are correctly mapped and populated
Test logout functionality and session termination
Validate Adaptive Authentication: If enabled, test various authentication scenarios:
Login from trusted devices and locations
Login attempts that trigger step-up authentication
Risk-based authentication flows
Troubleshoot Common Issues: Address potential problems such as:
Incorrect redirect URIs or endpoints
Missing or incorrectly mapped user attributes
Certificate validation errors
Token expiration and refresh issues
Network connectivity problems
6. Monitor and Maintain
Regular Security Audits: Periodically review your SSO configuration and CyberArk Identity settings:
Verify security policies remain current
Review user access patterns and permissions
Audit authentication logs for anomalies
User Lifecycle Management: Establish robust processes for:
User provisioning and deprovisioning
Role and permission management
Account lifecycle automation between CyberArk Identity and Goodworld
Security Best Practices:
Enable multi-factor authentication (MFA) with CyberArk's adaptive authentication
Implement risk-based authentication policies
Regularly rotate client secrets and certificates
Monitor privileged user activities
Keep security policies updated based on threat intelligence
Performance Optimization: Monitor and optimize:
SSO authentication response times
Token refresh processes
User experience metrics
7. Advanced Configuration Options
Adaptive Authentication Policies: Configure sophisticated risk-based authentication:
Device trust policies
Geolocation-based access controls
Time-based access restrictions
Behavioral analytics integration
Privileged Access Integration: Leverage CyberArk's privileged access capabilities:
Just-in-time privileged access for administrative functions
Session recording and monitoring for privileged operations
Automated privilege elevation workflows
Zero Trust Implementation: Utilize CyberArk's Zero Trust capabilities:
Continuous authentication verification
Context-aware access decisions
Micro-segmentation support
API Security: Implement secure API access patterns:
OAuth 2.0 token-based API authentication
API rate limiting and monitoring
Secure service-to-service communication
8. Documentation and Support
Comprehensive Documentation: Maintain detailed records of your SSO implementation:
Complete configuration steps and settings
Custom attribute mappings and business rules
Security policies and access controls
Troubleshooting procedures and solutions
Emergency access procedures
Leverage Support Resources:
Utilize Goodworld's support team for platform-specific integration questions
Access CyberArk's extensive documentation and professional services
Engage with CyberArk's customer success team for optimization guidance
Participate in CyberArk's user community and training programs
User Education and Training:
Provide comprehensive user training on the new SSO experience
Create documentation for common user scenarios
Establish help desk procedures for SSO-related issues
Conclusion
Integrating CyberArk Identity SSO with Goodworld creates a powerful combination that significantly enhances both user experience and security posture. By following these best practices, you establish a robust, enterprise-grade authentication system that leverages CyberArk's advanced identity and privileged access management capabilities.
The integration provides your organization with adaptive security controls, comprehensive audit capabilities, and seamless user experiences while maintaining the highest levels of security. Regular monitoring, maintenance, and security reviews will ensure your SSO integration continues to meet evolving security requirements and business needs.
CyberArk's identity-first security approach, combined with Goodworld's platform capabilities, creates a secure foundation that enables your organization to confidently pursue its mission while protecting against sophisticated cyber threats.
For more detailed guidance and personalized support with your CyberArk Identity integration, feel free to schedule a chat with our success team.
Happy integrating!