Overview

This article details the process of integrating CyberArk Workforce ID with Checkmk using SAML 2.0 for authentication. It covers the full configuration workflow, including setting up a SAML connection in Checkmk, creating and configuring a custom SAML application in CyberArk, exchanging metadata between both systems, and assigning users or groups for access. 

Step-by-step guide

Configure a SAML connection in Checkmk

1. Go to Setup → Users → SAML authentication / connections in Checkmk.
   
   
   
   
   
2. Click Add connection.
   
   
3. Under the General properties section, provide both a Connection ID and a Name. For this example, both are named CyberArk.
   
   
   
   
   

4. Under the Connection section:
   
   
   
   

   • Set Identity provider metadata to URL.

   • Enter placeholder as the temporary value underneath the dropdown.

   • In Checkmk Server URL, enter the FQDN (Fully Qualified Domain Name) of your Checkmk instance.
     • Ensure that HTTPS is enabled, and the site is accessible by the Identity Provider (IDP).
       
       

5. Save the connection.

Create a SAML web application in CyberArk

1. In CyberArk Workforce ID Admin portal, go to Apps & Widgets → Web Apps.
   
   
   
   
   
2. Click on Add Web Apps.
   
   
   
   

3. Select Custom tab from the available options.
   
   

4. Click Add next to SAML, then confirm by clicking Yes.
   
   
   
   
   
   
   

5. Click Close. A new web app named SAML will appear.
   
   

Configure the application in CyberArk

1. Click on the newly created app SAML to configure.
   
   
   
   
   
2. In the Settings section, provide a name for the application (e.g., Checkmk SAML).
   
   
   
   
   
3. In the Trust section, Locate the Single Sign On URL section.
   
   
4. Copy the URL using the “Copy URL” button. This URL will contain /saasManage/.
   
   
   

Finalize SAML connection in Checkmk

1. Return to Checkmk and go to Setup → Users → SAML authentication / connections.
   
   
   
   
   
2. Edit the SAML connection you created earlier.
   
   
3. Replace the placeholder value in the Identity provider metadata field with the copied Single Sign On URL from CyberArk.
   
   
   
   
4. Save the connection. Checkmk will now autopopulate metadata under the Service Provider metadata section.
   
   

Complete configuration in CyberArk

1. Return to CyberArk. Go to Apps & Widgets → Web Apps → SAML → Trust.
   
   

2. In the Service Provider Configuration section, set the configuration mode to Manual Configuration.
   
   

3. In Checkmk, locate the Entity ID URL (ending in saml_metadata.py) and paste it into CyberArk’s:

   • SP Entity ID / Issuer / Audience field.
     
     

4. In Checkmk, locate the Assertion Consumer Service (ACS) endpoint URL and paste it into CyberArk’s:

   • ACS URL field.
     
     

5. Set Sign response or assertion to both.
   
   

6. Set NameID format to emailAddress.
   
   

7. In Checkmk, copy the metadata endpoint URL and paste it into the Relay State field within CyberArk.
   
   
   
   
   

8. Click Save.
   
   

9. Under SAML Response, add a new attribute:
   
   

   • Attribute Name: user_id
This is a default attribute provided by Checkmk and can be changed at the user’s discretion.

   • Attribute Value: LoginUser.Username

   
   
   
   

10. Click Save.
    
    

11. In the Permissions section, click Add, and assign users or groups to the application.
    
    
    
    
    

12. Click Save at the bottom of the page. The application should move from Ready to Deploy to Deployed.
    
    

Test the SAML Login

1. Log out of Checkmk.
   
   
   
   
   

2. On the sign-in screen, select Login with CyberArk.
   
   
   
   
   

3. Enter your CyberArk credentials to confirm successful SAML authentication.

Related articles

• Page:
  Working with Distributed Agent Bakery
• Page:
  Required role permissions needed to use the Agent Bakery
• Page:
  Managing Apache Certificate Changes with the Agent Bakery
• Page:
  Enabled and disabled section for Windows
• Page:
  Agent registration role