BlokSec provides decentralized passwordless authentication to CyberArk Privileged Access Manager solution using either OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) 2.0 authentication standard. BlokSec acts as an identity provider (IdP), authenticating users using strong cryptographic based digital signature that is immutable and tamper-proof.

OIDC Configuration

BlokSec Admin UI

1. Sign into BlokSec admin UI as a user with admin privileges for your tenant

2. On the main dashboard, click the Add Application drop-down and select Create From Template

3. Select CyberArk OIDC template

4. Complete the OIDC configuration with the following values (adjusting if required to meet your desired behaviour)

   • Name: Change the name if required to meet your organizational requirements

   • Session length: Length of the authenticated session. Default value is set to 60 minutes. minutes

   • Redirect URI: https://[CyberArk_PVWA_FQDN]/PasswordVault/api/Auth/OIDC/BlokSec/Token

   • Select Submit to save the configuration

5. Once saved, click back into the newly created application to open the application configuration

6. Click Generate App Secret, then make note of the Application ID and Application Secret as these will be required when registering your application with BlokSec

CybeArk Configuration

PVWA Settings

1. Sign into CyberArk PVWA as a user with admin privileges

2. Navigate to Administration > OIDC Authentication

3. Complete the OIDC configuration with the following values (adjusting if required to meet your desired behaviour)

   • Display name (optional): Passwordless Login (change the name if required to meet your organizations requirements)

   • Provider ID: BlokSec (change the name if required to meet your organizational requirements)

   • Discovery URL: https://api.bloksec.io/oidc/.well-known/openid-configuration

   • Client ID: Enter the value of Application ID captured in step #6 from BlokSec Admin UI above

   • Client Authentication method:

     • Ensure that Basic is select (as displayed in the image below)

       

     • Enter the value of Application Secret captured in step #6 from BlokSec Admin UI above

   • User name claim (optional): preferred_username

   • Select Enable OpenID provider (as displayed in the image below)

   • Select Save

4. Navigate to Administration > Configuration options, and then select Options

   • Navigate to Access Restriction and right click to select Add AllowedReferrer

     • Properties

       • BaseUrl: https://api.bloksec.io

       • Select Apply and then select Ok

   • Navigate to Authentication **Methods **and select the value of the Provider ID as entered in step #3 above, and update the properties as outlined below:

     • DisplayName: Passwordless (or the name of your choice)

     • Enabled: Yes

     • Select Apply and then select Ok

SAML Configuration

BlokSec Admin UI

1. Sign into BlokSec admin UI as a user with admin privileges for your tenant

2. On the main dashboard, click the Add Application drop-down and select Create From Template

3. Select CyberArk (SAML) template

4. Complete the SAML configuration with the following values (adjusting if required to meet your desired behaviour)

   • Name: Change the name if required to meet your organizational requirements

   • Assertion Consumer Service: https://[resource_name]/PasswordVault/api/auth/saml/logon

   • Name ID Format: EmailAddress (change value from drop down if not email address)

5. Select **Submit **to save the configuration

6. Select Download and save the metadata file

CyberArk Configuration

PVWA Settings

1. Sign into CyberArk PVWA as a user with admin privileges

2. Navigate to **Administration > Configuration Options, **and then select Options

   • Navigate to Access Restriction and right click to select Add AllowedReferrer

     • Properties

       • BaseUrl: https://api.bloksec.io

       • Select Apply and then select Ok

   • Navigate to Authentication Methods > saml

     • Properties

       • DisplayName: BlokSec Passwordless (or the name of your choice)

       • Enabled: Yes

       • Select Apply and then select Ok

SAML Configuration File

1. From the PasswordVault installation folder, the default location is \Inetpub\wwwroot\PasswordVault, make a copy of the saml.config.template file, and rename the copy to saml.config

2. Complete the SAML configuration with the following values (adjusting if required to meet your desired behaviour):

   • ServiceProvider Name: https://bloksec.io

   • PartnerIdentityProvider: https://boksec.io

   • SingleSignOnServiceURL: Enter the value associated to SingleSignOnService Binding tag from the metadata XML. For example, https://api.bloksec.io/sso/SingleSignOnService/605x91de599549f0d870

   • Certificate String: Enter the value associated to ds:X509Certificate tag from the metadata XML

3. Save the saml.config file

Optional – Enforce Passwordless Authentication

By default, CyberArk Privileged Access Management solutionallows users to sign in either with their username and password or an alternative logon option. This behaviour can be changed to mandate passwordless only logging to PVWA. Follow the steps below to enforce passwordless authentication:

1. Sign into CyberArk PVWA as a user with admin privileges

2. Navigate to Administration > Configuration Options, and then select Options

3. Navigate to Authentication Methods and select an authentication method that is not SAML or OIDC, for example, windows

4. Set the value of Properties as below:

   • Enabled: No

5. Repeat steps #3and #4 to disable other authentication options