Hideez SAML Identity Provider for CyberArk PVWA

Online security 2021, Authentication tips

CyberArk is a publicly traded information security company offering Privileged Account Security. CyberArk delivers the industry’s most complete solution to reduce the risk created by privileged credentials and secrets.The company is trusted by the world’s leading organizations, including more than 50 percent of the Fortune 500, to protect against external attackers and malicious insiders.

Hideez Authentication Solution Overview

Hideez SAML Identity Provider (Hideez IdP) implements SAML 2.0 Web Browser SSO Profile providing cross-domain Single-Sign-On between applications supporting SAML.

SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider (IdP), and a SAML consumer named a Service Provider (SP).

Hideez IdP and Hideez Enterprise Server together enable Hideez authentication method for CyberArk Password Vault Web Access (PVWA) which belongs to SAML 2.0 compliant SPs.

Hideez authentication method is an elegant lightweight MFA solution. The solution is based on Hideez Key wireless authenticator a Hideez flagship product implementing the system-on-a-chip concept. Among key capabilities there are Bluetooth 4.0 wireless transport, a hardware credentials storage, a password manager with dynamic resources recognition, Windows PC lock/unlock based on Bluetooth proximity, centralized remote wireless delivery of credentials to a Hideez Key instance, 112 bits of security for data at rest and in transit. Also Hideez Key provides RFID token as an extra factor of user identification which can be used in a wide range of use cases from accessing a workspace to participating in authentication algorithms.

Hideez IdP built on Shibboleth IdP v.3 available under the Apache 2.0 open source software license. Shibboleth is among the world’s most widely deployed federated identity solutions, connecting users to applications both within and between organizations. Hideez IdP complements authentication power built in Shibboleth with own authentication method.

Benefits of Hideez Authentication Solution

● Hideez solves the problem of unattended computers and eliminates the possibility of data breaches and insider attacks;
● Hideez provides a means of unique user identification and multi-factor authentication enabling compliance to different regulations;
● Hideez solves the problem of unauthorized access adding an extra identification layer in the user’s authentication processes;
● Hideez solves the problem of multi-user end-points when the need to guarantee that the user who unlocked a computer and the user who is signing the transaction are the same person.
● Hideez allows hands-free authentication and solves the problem of working areas with specific climate or infection controls in place;
● Hideez solves the problem of short timeouts before locking a computer;

● Hideez combines a means of logical and physical access in a single device making the solution more convenient by excluding duplication;
● Hideez password manager delivers credentials both to local and remote targets

Key Benefits of Integration (Hideez & CyberArk PVWA)

● A lightweight full-value MFA solution for CyberArk PVWA;
● An extra layer of security for CyberArk privileged users due to the system-on-chip nature - all credentials always with the user on his Hideez Key in his pocket;
● Basement to expand SSO and federation concepts between components of privileged access management ecosystem

Hideez SAML IDP Diagram and Description of Integration

Online security 2021, Authentication tips

Hideez and Integration with CyberArk PVWA

Hideez authN solution consolidates different authentication methods, approaches, features and makes them available with Hideez Key. The solution includes Hideez Key instances, Hideez Safe local agent and Hideez Enterprise Server.

Hideez Enterprise Server provides an identity store and responsible for centralized credentials management including remote wireless delivery of credentials to user’s Hideez Key device.

Hideez SAML IdP turns Hideez Enterprise Server into an authentication and SSO authority. Hideez provides this feature as a convenient way to enable MFA for CyberArk PVWA. SAML integration between CyberArk PVWA and Hideez IdP requires minimum interventions to CyberArk setup.

Use Case

A user is an owner of Hideez Key instance. He uses it to store credentials separately from any operational environment. There is authentication to different web-services and applications among daily activities. The new regulation requires 2FA for reaching privileged access management systems including CyberArk PVWA. The current setup doesn’t satisfy with new requirements.

An administrator knows that Hideez support 2FA. He sets up integration between CyberArk PVWA and Hideez using Hideez SAML IdP feature and SAML authentication option which CyberArk PVWA supports.
Resulted setup satisfies with requirements of the regulation on 2FA.

Prerequisites and Dependencies

1. Hideez SAML IdP and Hideez Enterprise Server must be set up and available;
2. Hideez Key and Hideez Safe local client software must be set up on a user’s workstation;
3. Integration between CyberArk PVWA and Hideez IdP requires that both must be available for a user’s web-browser by appropriate domain names via HTTPS connection. This document assumes that PVWA is available by https://pvwa.hicorps.com/PasswordVault/v10/, Hideez IdP is available by https://idp.hicorps.com/idp/;
4. Although to setup integration requires minimal interventions to CyberArk environment the appropriate administrative rights to change CyberArk PVWA configuration are required yet;
5. Users which will be mapped must exist on both HES and PVWA sides.

Hideez Enterprise Server & Hideez SAML IdP can be obtained by request using any contacts at the bottom of this document. Also, you can request our demo on How Hideez authentication solution including IdP works.