Overview
The enterprise IdP (Okta, Entra ID, Ping) authenticates all users—including privileged administrators. CyberArk enforces privileged access workflows, vault policy, and session controls. Integrating these systems ensures that:
- Privileged users authenticate through enterprise identity — same MFA, same risk signals, same audit trail
- Session context follows the user — the SOC can trace privileged actions back to an enterprise identity
- Lifecycle events propagate — when someone loses privileged access in IGA, it's reflected in CyberArk
Why this matters: Without integration, CyberArk becomes an identity island. Administrators have separate credentials, bypass enterprise MFA, and leave audit gaps. The SOC sees "admin@cyberark-local" instead of "jane.doe@company.com" in logs, breaking incident correlation.
The integration patterns here connect your IdP to CyberArk for authentication, connect IGA for lifecycle governance, and connect SIEM for unified audit.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| PVWA authentication | Local accounts / LDAP / SAML SSO / OIDC | SAML SSO via enterprise IdP | Local accounts for break-glass only |
| MFA enforcement | CyberArk MFA / IdP MFA | IdP MFA (step-up for privileged access) | Single MFA experience; leverage risk signals |
| PSM authentication | Transparent (vault creds) / Challenge-response | Transparent (user never sees privileged cred) | CyberArk injects credential; user authenticated via IdP |
| Lifecycle provisioning | Manual / IGA-driven / Directory-driven | IGA-driven (SailPoint provisions CyberArk safe access) | Governance trail for who can access what |
| Safe membership | Manual / Group-based / Role-based | Role-based from IGA (SailPoint role → CyberArk safe) | Enables certification of privileged access |
| SIEM integration | Syslog only / CEF / API enrichment | CEF/syslog + API enrichment for context | Correlate CyberArk events with enterprise identity |
| Break-glass | IdP-authenticated / Local accounts | Local accounts with documented procedure | Break-glass must work when IdP is down |
Architecture & Reference Patterns
Pattern 1: SSO Integration with Enterprise IdP
Pattern 2: IGA-Driven Lifecycle
Pattern 3: SIEM Correlation
Integration Matrix
| Integration Point | Protocol/Method | Data Flow | Purpose |
|---|---|---|---|
| IdP → PVWA | SAML 2.0 / OIDC | Identity assertion | SSO for PVWA access |
| IdP → PVWA | MFA challenge | Step-up authentication | Strong auth for privileged access |
| IGA → CyberArk | SCIM / API / Connector | Safe membership | Lifecycle governance |
| IGA → CyberArk | Certification | Access review | Periodic validation of privileged access |
| CyberArk → SIEM | Syslog (CEF) | Audit events | Centralized logging |
| PSM → SIEM | Recording metadata / Alerts | Session info | Privileged activity monitoring |
| SIEM → IGA | Risk signals | Adaptive response | Risk-based governance |
Implementation Approach
Phase 0: Discovery (2-3 weeks)
Inputs: Current IdP config, current CyberArk config, SIEM architecture Activities:
- Document current CyberArk authentication method
- Assess IdP SAML/OIDC capabilities for CyberArk
- Inventory CyberArk safes and current membership management
- Map audit requirements and SIEM integration status
- Identify break-glass procedures
Outputs: Current-state assessment, integration requirements
Phase 1: SSO Integration (3-4 weeks)
Inputs: IdP access, CyberArk PVWA access Activities:
- Configure SAML/OIDC application in IdP for CyberArk
- Configure CyberArk PVWA for SSO authentication
- Configure MFA step-up policies in IdP for CyberArk access
- Test SSO flow end-to-end
- Configure break-glass local accounts
Outputs: Working SSO integration, MFA enforcement
Phase 2: Lifecycle Integration (4-6 weeks)
Inputs: IGA (SailPoint) access, CyberArk API access Activities:
- Design role-to-safe mapping
- Configure SailPoint → CyberArk connector or API integration
- Build provisioning workflows for safe membership
- Configure certification campaigns for privileged access
- Test lifecycle events (grant, revoke, termination)
Outputs: IGA-driven safe membership, certification campaigns
Phase 3: SIEM Integration (3-4 weeks)
Inputs: SIEM access, CyberArk syslog configuration Activities:
- Configure CyberArk syslog forwarding (CEF format)
- Build SIEM parsing and normalization
- Create correlation rules (IdP sign-in → CyberArk access → target action)
- Build privileged access dashboards
- Configure alerting for anomalies
Outputs: Correlated privileged access visibility, alerting
Phase 4: Operate (Ongoing)
Activities:
- Monitor SSO and provisioning health
- Review and tune SIEM alerts
- Conduct privileged access certifications
- Test break-glass procedures periodically
- Update integrations as platforms evolve
Deliverables
- SSO integration architecture — IdP → CyberArk authentication flow
- MFA policy document — step-up requirements for privileged access
- Lifecycle integration design — IGA → CyberArk safe membership
- SIEM correlation rules — privileged access detection and alerting
- Break-glass procedure — documented, tested emergency access
- Audit correlation guide — how to trace privileged activity to enterprise identity
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| IdP outage blocks privileged access | L | H | All PVWA access fails | Break-glass local accounts; tested procedure |
| SSO misconfiguration | M | M | Authentication failures; lockouts | Thorough testing; staged rollout |
| Lifecycle sync failures | M | H | Access not granted/removed | Monitoring; retry logic; manual fallback |
| SIEM correlation gaps | M | M | Can't trace activity to identity | Consistent identifiers; correlation testing |
| MFA fatigue | M | L | Users complain; seek workarounds | Risk-based MFA; tune step-up triggers |
| Break-glass overuse | L | M | High break-glass frequency | Monitor usage; investigate root causes |
KPIs / Outcomes
- SSO adoption: % of PVWA authentications via SSO (target: greater than 99%, break-glass only exception)
- MFA enforcement: % of privileged access with MFA (target: 100%)
- Lifecycle sync success: % of IGA changes reflected in CyberArk (target: greater than 99%)
- SIEM correlation rate: % of privileged sessions traceable to enterprise identity (target: 100%)
- Time to revoke: Time from IGA revocation to CyberArk access removal (target: fewer than 15 minutes)
- Break-glass usage: Frequency per month (target: fewer than 5, with documented justification)
Workshop Questions
Security / IAM
- What's the current PVWA authentication method? Is it integrated with the enterprise IdP?
- What MFA requirements exist for privileged access?
- How is privileged access currently certified or reviewed?
CyberArk / PAM Team
- How are safe memberships managed today (manual, group-based, API)?
- What's the break-glass procedure when the IdP is down?
- What SIEM integration exists for CyberArk logs?
SOC / Security Operations
- Can you correlate CyberArk events with enterprise identity today?
- What privileged access anomalies should trigger alerts?
- What's the incident response process for suspicious privileged activity?
Requirements Gathering Checklist
- What IdP is in use (Okta, Entra ID, Ping) and does it support SAML/OIDC for CyberArk?
- What's the current PVWA authentication method (local, LDAP, SSO)?
- What MFA method is used for the IdP and should it be required for CyberArk access?
- How is privileged access (safe membership) currently provisioned?
- Is there an IGA system (SailPoint) that should govern privileged access lifecycle?
- What role-to-safe mapping is needed for IGA integration?
- What SIEM is in use and what log format does it expect (CEF, syslog)?
- What privileged access anomalies should trigger SOC alerts?
- What's the break-glass procedure for IdP outages?
- How should privileged access be certified and how often?
- What's the required time-to-revoke when privileged access is removed?
- What audit evidence is required for compliance?
