Posted On: Nov 10, 2021

Customers can now connect their CyberArk Workforce Identity (CyberArk) to AWS Single Sign-On (SSO) once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using CyberArk Workforce Identity to access all their assigned AWS accounts. The integration helps customers simplify AWS access management across multiple accounts while maintaining familiar CyberArk Workforce Identity experiences for administrators who manage identities, and for end users as they sign in. AWS SSO and CyberArk Workforce Identity use standards-based automation to provision users and groups into AWS SSO, saving administration time and increasing security.

The interoperability of AWS SSO and CyberArk Workforce Identity enables administrators to assign users and groups access centrally to their AWS Organizations accounts and AWS SSO integrated applications. This makes it easier for an AWS administrator to manage access to AWS and ensure CyberArk Workforce Identity users have the right access to the right AWS accounts, including those created with AWS Control Tower account factory. Ongoing management is also simplified. For example, when using group assignments, CyberArk Workforce Identity administrators can grant or remove AWS account access by adding or removing users from a CyberArk Workforce Identity group.

AWS SSO and CyberArk use the System for Cross-domain Identity Management (SCIM) standard to automate the process of provisioning users and groups into AWS SSO. AWS SSO also authenticates CyberArk users to their assigned AWS accounts through the Security Assertion Markup Language (SAML 2.0) standard. To configure the SCIM and SAML connections, administrators can use the AWS SSO Connector available in CyberArk Application Catalog.

Your end users get their familiar CyberArk sign-in experience including MFA and central access to all of their assigned AWS accounts, including those created with AWS Control Tower account factory. In addition, your users can use their CyberArk credentials to sign in to the AWS Management Console, AWS Command Line Interface (CLI) and Amazon Managed Grafana.

It is straightforward to get started with AWS SSO. With just a few clicks in the AWS SSO management console, you can choose AWS SSO, Active Directory, or an external identity provider, now including CyberArk Workforce Identity, as your identity source. Your users sign in with the convenience of their familiar sign-in experience and get single-click access to all their assigned accounts from the AWS SSO user portal. To learn more, please visit AWS Single Sign-On. To connect CyberArk Workforce Identity to AWS SSO as an external identity provider, please see the AWS SSO documentation.

There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Mumbai), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Tokyo), EU (Ireland), EU (Frankfurt), EU (London), EU (Paris), EU (Stockholm), AWS GovCloud (US-West) and South America (São Paulo) Regions.