With release 21.5, CyberArk Identity supports the following new features:
Single Sign-On
Redesigned CyberArk Identity sign-in experience
With this release, we are introducing a new, redesigned sign-in screen for CyberArk Identity. The new sign-in page reflects a modern design and improves the sign-in experience for users and administrators with a streamlined layout of all authentication options, including QR code, password, and social login. The design of the new sign-in page can also be tailored to your specific needs. For example, you can upload your company’s logo, update the background image, and change the color scheme to align with your corporate colors. The new sign-in experience is disabled by default to provide you the time and flexibility to socialize this change with your end-users. You can enable the sign-in page at any time by updating preferences in your Admin portal. To learn more about the new sign-in page, please see here.
Windows Certificate Authentication Agent
CyberArk Identity supports Zero Sign-On (ZSO) authentication. This certificate-based authentication method enables users to seamlessly log in to their assigned applications and services without additional authentication once their devices are verified. With this release, you can use the new Windows Certificate Authentication Agent to verify Windows endpoints and prevent untrusted devices from accessing CyberArk Identity or protected web applications. The new, lightweight agent leverages the Integrated Windows Authentication (IWA) mechanism to validate Active Directory users and deploy a CyberArk Identity certificate on trusted endpoints. You can use Windows Certificate Authentication Agent to manage CyberArk Identity certificates as well. For example, you can revoke, renew, or define the time limit for certificate validity.
Windows Certificate Authentication agent feature is currently in preview. Please contact CyberArk Support to enable the agent download option on your tenant.
Identity Verification with Ekata
Ekata provides identity verification (IDV) service by applying pattern recognition, predictive analytics, and machine learning to the key consumer data attributes, such as email, phone, name, physical address, and IP. This enables you to assess the overall risk of an applicant for a new account and ensure that synthetic or stolen IDs are not used for account creation. With this release, the Ekata IDV service is now integrated into the CyberArk Customer Identity account sign-up workflow. Using this integration, you can easily identify high-risk sign-ups and take appropriate actions to prevent identity fraud. For example, you can require a user to obtain approval from a designated person before they can create a profile in the CyberArk Identity-protected application or website.
The CyberArk Identity and Ekata integration is currently in Beta. Please contact your CyberArk Account Representative to enable this feature on your tenant.
Lifecycle Management
Standards-based Interfaces to Manage Privileged Accounts in CyberArk Privilege Cloud
You can now use CyberArk Identity’s System for Cross-domain Identity Management (SCIM) server interface to manage privileged accounts and objects in CyberArk Privilege Cloud. Previously, you could only use CyberArk Identity SCIM interfaces to manage users and groups in CyberArk Cloud Directory. Now, you can use the SCIM endpoints to integrate with 3rd party SCIM-compliant Identity Governance and Administration (IGA) platforms to manage PAM objects. For example, you can now use a SCIM-enabled IGA solution, such as SailPoint to create a Safe inside your CyberArk Privilege Cloud Password Vault and authorize user access to the accounts stored in the Safe. To learn more about using the SCIM interface to manage privileged users and objects, please see here.
Automate Workday provisioning to CyberArk Cloud Directory
You can now use CyberArk Identity Lifecycle Management (LCM) to provision users from Workday to CyberArk Identity Cloud Directory. Previously, you could only provision users from Workday to your Active Directory. Now, you can specify a target directory (Active Directory or Identity Cloud Directory) when defining your inbound provisioning rules. This allows you to designate your directories for specific user populations or move away from using Active Directory to store your users’ attributes. For example, you can now provision your full-time employees into Active Directory and keep external contractors in the CyberArk Identity Cloud Directory. You can also provision all users to CyberArk Identity Cloud Directory, configure what Cloud Directory roles users should be assigned to, update Workday when user Cloud Directory attributes are changed, and automatically disable user accounts when terminated in Workday. To learn more about Workday user provisioning, please see here.
For more information on the 21.5 release, please see CyberArk Identity release notes.
