Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

CyberArk vault connector issue

GauravJain
Regular Contributor III
Regular Contributor III

Hi

I am trying to setup CyberArk as a vault connector to inject account credentials in one of the REST connectors.

1st Step

While setting up CyberArk as a vault connector (after following the document link provided below), i have configured all required parameters like Auth_URL, USERNAME, PASSWORD, URL, ACCOUNTID, DEFAULT_PATH (/${accountID}/Password/Retrieve) etc. to test the connection and got the popup for successful connection. Also, in logs i don't see any error message. 

 With this, can i assume that the connection is setup successfully? OR is there anything else i can do to make sure its setup perfectly fine? 

Doc link : Understanding the Integration Between EIC and CyberArk Vault (saviyntcloud.com)

2nd Step

I created a REST connector, where i got the option to select "Credential Vault Connection" which i created in 1st Step. Checked this checkbox "Save Credential Vault", selected the "accountID" in "Account Id Credential Vault Connection" field as configured in 1st Step and the  "vault config" which was auto populated with this value "https://{instance}/PasswordVault/api/Accounts/{$accountID}/Password/Retrieve" .

Now when i click on "Advanced" button next to "vault config" then it gives a blank white screen. Because of it , not able to complete remaining configuration required for "Is Encoded" field. What could be the reason for this issue? Do we need to raise a fresh service ticket?

Also, what will be the "ConnectionJSON" configuration if credentials are pulled from vault? Didn't find any example on the below given document link.

REST Developer Handbook : Developers Handbook (saviyntcloud.com)

Please let me know if any further information is required on above issue.

One more findings from logs is - While testing REST connector, i saw this entry in logs where the configured accountID is not picked by REST connector and is showing as "null"

calling url to retrieve password :: https://{instance}/PasswordVault/api/Accounts/null/Password/Retrieve

not sure if its related to "Advanced" configuration issue i mentioned in my original post or something else.

Regards

Gaurav

[This message has been edited by moderator to merge reply comment]

14 REPLIES 14

SB
Saviynt Employee
Saviynt Employee

The Valut connector should ideally be successful if you saw then success message on clicking Save & Test. Though for confirmation, I would suggest updating the value for password or url to incorrect one and then validate.

Also, you can refer to the below documentation and follow the steps to setup the connection.

https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter04-Application-Management-...


Regards,
Sahil

GauravJain
Regular Contributor III
Regular Contributor III

Hi Sahil - Thanks for reverting.

Even after putting wrong password in Vault connector, it says "Connection is successful" and also logs same events in log file. no difference.

Also, i have followed the latest documentation 23.x because our product version is 23.5. but still, i have gone through the link you have mentioned, the popup on click of "Advanced" button still doesn't come up.

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB - Can you please comment on following issues as well?

  1. In CyberArk valut connector, for ACCOUNTID field, we should enter the account name or account id (which is a numeric value in vault)?
  2. In REST connector, selected accountID is not binding with DEFAULT_PATH and its appearing as "null" in longs with this url https://{domain}/PasswordVault/api/Accounts/null/Password/Retrieve
  3. In REST connector, Vault config field is auto populated. Not sure what should be the value in this field. Having an example in documentation would help.
  4. In REST connector, Clicking on "Advanced" button next to vault config gives a blank white screen
  5. In REST connector, What will be the "ConnectionJSON" configuration if credentials are pulled from vault? Didn't find any example on the document link.

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB in my last reply on "09/25/2023 11:54 PM", i have managed to resolve first 4 points by trial and error methodology. Now, i am looking for help on following 2 items which are critical to move forward on Saviynt-CyberArk integration:

  1. In REST connector, What will be the "ConnectionJSON" configuration if credentials are pulled from vault? Didn't find any example on the document link.
  2. which type of authorization is expected in Saviynt for CyberArk (REST API) vault integration. Currently, I am using CyberArk basic auth using this url "/PasswordVault/API/auth/Cyberark/Logon". Other options could be OAuth 2.0 / OpenID connect etc. Reason for asking this question is, the same set of userid/pwd with above given logon url is working from postman(outside saviynt) but giving 401 authentication error when configured in Saviynt's cyberark vault connector.

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB which type of authorization is expected in Saviynt for CyberArk vault integration. Currently, i am using CyberArk auth using this url "/PasswordVault/API/auth/Cyberark/Logon". Other options could be OAuth 2.0 / OpenID connect etc..

SB
Saviynt Employee
Saviynt Employee

hi @GauravJain Let me check if REST is even supported for using Cyberark vault and will update you.


Regards,
Sahil

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB  - Thanks for your revert. On this document, it says all connector types support CyberArk vault integration https://docs.saviyntcloud.com/bundle/SVCF-v23x/page/Content/SVCF-Overview.htm

Also, when we create a REST connector, it has an option to select CyberArk vault connector which ideally means its supported. Secondly, one of the users on forum has also answered the same Re: Which all connector types support CyberArk as ... - Saviynt Forums - 52208

But i will wait for your confirmation before proceeding further.

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB Any updates on this please?

SB
Saviynt Employee
Saviynt Employee

I am still researching on it and will update. 


Regards,
Sahil

GauravJain
Regular Contributor III
Regular Contributor III

Hi @SB thanks for your revert. Till you research on it, can you look at following general questions w.r.t vault configuration:

1) whats the significance of attached screen shot "Advanced_vault_config_screen.JPG" while configuring Vault connector in any other connector type like AD? documentation is very confusing so if you have any idea please throw some light on it.

2) what should be the value of "Vault Config" (Account Id Credential Vault Connection)? is it correct "/${accountID}/Password/Retrieve" or there is more to it? Saviynt documentation is just not explaining it properly here Understanding the Integration Between EIC and CyberArk Vault (saviyntcloud.com)

3) Save Credential Vault checkbox - As per doc "Select this parameter to save the encrypted attribute in the vault configured with the connector."

Which encrypted attributes its referring to? i don't think we can save anything in vault from Saviynt so this checkbox must be unchecked only right?

GauravJain
Regular Contributor III
Regular Contributor III

Any luck Sahil?

SB
Saviynt Employee
Saviynt Employee

I have confirmed this and REST connector does not support using Vault connection.


Regards,
Sahil

GauravJain
Regular Contributor III
Regular Contributor III

thanks Sahil. Can we please modify documentation to avoid such confusion and time waste for other people trying to use same functionality? 2 different document links with conflicting information

 https://docs.saviyntcloud.com/bundle/SVCF-v23x/page/Content/SVCF-Overview.htm

https://docs.saviyntcloud.com/bundle/CyberArk-Vault-v23x/page/Content/Introduction.htm

Also, if possible the implementation of REST connector should not really show the CyberArk vault connector configuration if its not supported for good user experience. 

Regards

Gaurav

SB
Saviynt Employee
Saviynt Employee

We have informed the Doc team to get this updated. Also, there is an alternate I think you can try that might work for you. For this, you will need to store the entire Connection JSON in the Cyberark (not just the password) and then use the Vault in REST Connection to fetch the Connection JSON value. Since the vault integration is only used for Encrypted fields and because the entire Connection JSON is encrypted in a REST connection, using just password will not work but fetching the entire Connection JSON may work.

I have not personally implemented this but is certainly worth a try if you want to.


Regards,
Sahil