With the 23.1 release, CyberArk Identity supports the following new features:
Single Sign-On
Third-party CAPTCHA Support for Web Applications
Certain websites require CAPTCHA at login to prevent programmatic brute force attacks and determine whether the user is human or non-human. For such applications, users must solve the displayed CAPTCHA after the browser extension fills in the credentials. For example, end users could be asked to solve a CAPTCHA challenge if they access the application from a new location.
With third-party CAPTCHA support for web apps, end users can now solve CAPTCHA challenges enforced by applications during the login process. Previously, applications protected by third-party CAPTCHA could only be accessed with a direct URL. You can now access all applications from the CyberArk Identity User Portal, including those protected by third-party CAPTCHA.
Users can access all applications that are protected by third-party CAPTCHA
Learn more about third-party CAPTCHA support.
Multifactor Authentication (MFA)
Device Trust with Third-Party UEM For Desktop Machines
Unified endpoint management (UEM) is software for monitoring, managing and securing an organization's end-user devices, including desktops, laptops and smartphones, regardless of operating system or location. With this release, you can now use your existing UEM provider to establish device trust for desktop machines to ensure secure access to web applications.
If you are using VMware Workspace ONE, Microsoft Intune or JAMF as your third-party UEM provider to establish device trust for desktop machines (Windows or MacOS), you can now use our authentication rules to limit access to any web applications. With a simple configuration to establish communication between the UEM provider and CyberArk Identity, you can inquire about your users' enrollment status or compliance with the device policy in real time.
Configure authentication rules based on UEM conditions
Learn how to configure access based on third-party UEM trust by clicking here.
User Behavior Analytics
Identity System Risk Roles
You can now create three new read-only dynamic system risk roles (low, medium and high-risk), which can be used for risk context when creating policies. Any service using the CyberArk Identity roles framework can use these new system risk roles.
For instance, let's say that you have a finance application with sensitive data. In this scenario, you can create a policy where only low-risk users can gain access to this application. This ensures that only users who do not pose a threat can access sensitive finance applications. The system risk roles are dynamic, continuously monitored and updated. If users get flagged for risky behavior, these users' risk scores are immediately elevated, and access rights to financial applications are restricted.
Create three new read-only dynamic system risk roles – high, medium and low risk
Learn more about creating Identity System Risk Roles, please click here.
Workforce Password Management
Application Access Controls Based on Usernames
CyberArk Workforce Password Management now allows administrators to restrict access to applications based on specific usernames.
Workforce Password Management is an enterprise-scale solution that enables workforce users to store and share business app credentials securely. With this release, you can now prevent users from storing credentials for specific usernames by adding them to an exclusion list. For example, you can prevent users from adding privileged accounts to Workforce Password Management by adding an exception for credentials with *root* or *admin* in the username.
Workforce Password Management access controls UI
Learn more about restricting access to Workforce Password Management apps.
Workforce Password Management Postman Collection
Postman is a popular tool to help test and develop APIs. To make it more convenient for developers integrating with the Workforce Password Management APIs, we've created a Postman collection containing the entire API call set. The collection includes REST APIs to manage admin and user-added applications, configure application access controls and import accounts from third-party password managers. For example, you can now easily test APIs that programmatically update credentials for business applications. You can also check that APIs used to query details about Secret Items, protected by Workforce Password Management, are working as expected.
CyberArk Workforce Password Management Postman collection
Learn more about Workforce Password Management APIs and Postman.
Secure Web Sessions
Session Control (preview)
CyberArk Secure Web Sessions is a cloud-based service that enables organizations to audit and protect end-user activity within high-risk and high-value web applications. This solution applies security layers that: enable companies to record actions taken by specific users within web applications; continuously validate that the person who started the web session is the one using the application; and protect web sessions from threats originating on the endpoint.
With this release, we are introducing an additional security layer called Session Control. With Session Control, you can define notification and enforcement rules for specific text and number fields within web applications. For example, you can create rules to alert you when users attempt to transfer funds that exceed a pre-set threshold within your banking app or ensure that only users with your company's email domain can be added to your cloud management console. Session Control rules are easy to create and follow IF-THEN logic with the option to enforce conditions, send push notifications to the CyberArk Mobile app or send alerts through email. All four security layers are supported in Google Chrome and Microsoft Edge browsers.
CyberArk Secure Web Session security layers
The Session Control feature is currently in preview. Please reach out to CyberArk Support to enable it for your tenant.
Enforce Security Layers for Specific URLs
You can now enforce CyberArk Secure Web Sessions security layers for specific application pages. This lets you control which pages within sensitive applications get protected by Secure Web Sessions.
Previously, customers could apply or turn off security layers based on the application domain or sub-domain. This meant that sensitive applications and linked apps were protected in their entirety. With this release, you can define specific application pages that must be protected. For example, you can exclude the homepage of your banking application but still record every action a user takes on pages that allow funds transfers or prevent users from downloading financial statements onto their local devices. This reduces the number of captured events and allows you to focus on areas within applications that require additional oversight and protection.
CyberArk Secure Web Session security layer setup
Learn more about CyberArk Secure Web Sessions security layers.
Identity Compliance
Certify That a User's Role Is Still Relevant
CyberArk Identity Compliance allows organizations to ensure that user access to resources and applications — including privileged access — is continually in compliance with government and industry regulations. Identity Compliance enables access discovery, review of access permissions, access certification and comprehensive analytics and reporting.
With this release, Identity Compliance can now certify users' roles, ensuring that their memberships to roles or groups and associated permissions comply. For example, users in “manager” roles will automatically be assigned access to specific permissions within apps such as Jira as part of role-based access control (RBAC). With this new feature, administrators or supervisors can periodically review users' roles — and the access associated with those roles — and certify, acknowledge or revoke access permissions.
Certifiers can now see the access rights associated with a user's role
Learn more about Identity Compliance.
Customer Identity and Access Management
Postman Collection for CyberArk Identity APIs and Application Management
Postman is an API platform for developers to design, build, test and iterate their APIs. In this release, we have created a Postman collection for CyberArk Identity that contains the detailed set of API calls for most of our use cases. This Postman collection will help developers organize their API development and testing efforts to rapidly deploy applications and integrate authorization, authentication and user management processes.
CyberArk Identity Postman Collection
To learn more about our Postman collection, please visit here.
For more information on the 23.1 release, please see the CyberArk Identity release notes.