With release 21.1, CyberArk Idaptive supports the following new features:
Single Sign-On
Delegated administration of web applications
Delegated administration is a mechanism for providing application management privileges to users in non-administrative roles. With this release, CyberArk Idaptive administrators can now delegate management of specific web applications to other users. Previously, application management could only be performed by members of roles with the Application Management right, which enables administration privileges for all deployed applications. Now, the administration of specific web applications can be extended to users in roles without the Application Management right. For example, as a System Admin, you can now delegate administration of Salesforce application to the app business owner without granting them administrative rights to any other application. To learn more, please see additional application permissions.
SSO to AWS Management Console through AWS Single Sign-On
AWS Single Sign-On (SSO) enables you to centrally manage access to all of your AWS accounts. AWS SSO leverages AWS Organization concept to associate multiple AWS accounts to a single organization, which can then be integrated with a third-party single sign-on provider, such as CyberArk Idaptive, to establish SSO access to the AWS Management Console and secure access via AWS CLI. Previously, you could set up single sign-on to AWS by federating access through the AWS IAM service. However, AWS IAM service requires customers to set up federation for each of their AWS accounts, making this option not scalable for enterprises with a large number of accounts. Now, you can use the new AWS SAML template to integrate CyberArk with AWS SSO service and extend CyberArk Idaptive SSO to all of your AWS accounts.
The integration with AWS SSO enables you to:
- Set up single sign-on to one or more AWS accounts from CyberArk Idaptive User Portal.
- Configure user attributes in CyberArk Idaptive and send them in the SAML payload to AWS. AWS SSO can use these attributes to scope access controls to various resources.
- Set up automatic provisioning and deprovisioning of users and groups to AWS SSO.
- Execute AWS CLI commands by authenticated to CyberArk Idaptive.
To learn more about configuring AWS SSO in CyberArk Idaptive, please see here.
Single Sign-On to Google Cloud Platform
You can now easily integrate CyberArk Idaptive SSO with Google Cloud Platform (GCP) by using a new SAML App template. To set up SSO to Google Cloud Console, simply find the respective SAML template in the CyberArk Idaptive App Catalog, and follow the steps in the integration wizard. To learn more, see here.
Multi-Factor Authentication
MFA requirements satisfaction with a QR code scan
CyberArk enabled support for passwordless authentication using QR codes, providing a secure and frictionless sign-in experience to the CyberArk Idaptive User Portal in the 20.7 release. If the portal was protected by Multi-factor Authentication, users had to also provide additional authentication factors, such as physical tokens or one-time passcodes (OTP). With this release, you can now allow users to scan a QR code with their enrolled mobile device to bypass required secondary authentication mechanisms. For example, a user can now access the MFA-protected CyberArk Idaptive User Portal by simply scanning a QR code with their CyberArk Idaptive app. The CyberArk Idaptive app can be locked with on-device biometrics authentication mechanisms, such as facial recognition cameras or fingerprint readers to validate the user scanning the QR code. Users without an enrolled mobile device can continue to sign in using other authentication mechanisms. To learn more, please see QR Code login documentation.
reCAPTCHA challenge at login
reCAPTCHA is a service from Google designed to distinguish between human and automated access to webpages and protect websites from automated attacks. With this release, you can now add reCAPTCHA v2 challenges to your CyberArk Idaptive login screen and protect your tenant or custom applications from automated brute-force attacks trying different username and password combinations. For example, you can require users to solve a CAPTCHA challenge to gain access to the CyberArk Idaptive User Portal if users fail to provide valid credentials after a certain number of login attempts. This prevents attackers from locking specific user accounts with unsuccessful login attempts and reduces the risk of Denial of Service (DOS) attacks against tenants. Login screen reCAPTCHA is a tenant-wide setting and is turned off by default. Customers interested in protecting login to their User Portals or customer-facing apps with reCAPTCHA can enable it by reaching out to CyberArk Support.
Enforce MFA without User Portal authentication on selected apps
You can now configure an application to bypass initial authentication steps and present users with Multi-factor Authentication challenges instead. Previously, users launching an application outside of the CyberArk Idaptive User Portal were required to pass both the initial authentication as well as secondary authentication challenges defined in the User Portal authentication policy. Now, users can launch specific apps directly without authenticating with the CyberArk Idaptive service by successfully solving MFA challenges configured for the app. For example, you can add a URL link in your internal company portal to access a low-risk application. Your employees will be able to launch this application by clicking the link and successfully passing an MFA challenge. This feature is useful for users that need to easily access specific apps, not the entire CyberArk Idaptive platform. To learn more, please see Bypass User Portal authentication for launching applications.
Enhanced Continuous User Risk Monitoring
CyberArk Idaptive User Behavior Analytics service now incorporates additional user activity events when calculating the aggregated risk score, which is continuously updated. You can see the classification of user risk as none, low, medium, or high in the Admin Portal and can drill down to specific user activities and associated risk scores for all qualifying events, regardless of users overall risk level or enabled access policies. Previously, tenants without risk-based access policies displayed risk scores only for medium and high-risk events. Now, you can view risk scores for all access events, including none, low, medium, and high. This change provides a complete picture of the risk level of your users even if you do not control access based on risk. Customers already using risk-based access policies will continue to see risk scores for all security events.
For more information on the 21.1 release, please see CyberArk Idaptive release notes.