With the 23.3 release, CyberArk Identity supports the following new features:
User Behavior Analytics
Respond to Threats With Automated Workflows
Using no-code workflows, you can now automate responses to threats detected by user behavior analytics. Within the user behavior analytics’ response automation feature, you can now select CyberArk Identity Flows and trigger specific workflows in response to security events.
Identity Flows is a user-friendly workflow builder with powerful integration and orchestration capabilities. With Identity Flows, you can orchestrate actions you would like to take in response to a threat or a security event. For example, when a security alert is triggered due to a user’s continued failed login attempts, you can automatically move the user into a “risky persons” group, which would restrict their access to specific resources. You can also use this feature to automatically notify relevant parties of the risk, create IT tickets, or take other actions that suit your organization’s needs. This feature is part of Identity Security Intelligence, a CyberArk Identity Security Platform Shared Service. It strengthens your security by reducing reliance on manual actions and adapting user access according to risk.
Response Automation now includes CyberArk Identity Flows
Learn more about Identity Flows.
Workforce Password Management
Enhanced reporting for user-added applications
CyberArk Workforce Password Management now provides additional visibility into applications added by end users.
CyberArk Workforce Password Management is an enterprise-scale solution that enables workforce users to store and share business app credentials securely. With this release, you can now run an out-of-the-box report to view information about each user-added application. The report includes details such as the application ID and URL, the method used to add the application, the user who created or modified the app and associated tags. For example, you can use this report to identify all apps specific users add within a particular timeframe. This allows Workforce Password Management administrators to perform periodic audits of user-added applications and ensure they fall within established IT security guidelines.
Workforce Password Management report
Learn more about Workforce Password Management reporting.
Certify Access to Multiple Resources at Once
CyberArk Identity Compliance allows you to discover, review and certify user access. With Identity Compliance, you can require administrators and managers to validate if specific users need access to resources, permissions, or roles. In this release, certifiers can now take actions in bulk, making decisions about multiple users’ access at once. Since access certification campaigns may apply to large teams and require repetitive validations, this feature improves convenience and allows for efficient access reviews.
Certifiers can make access decisions for multiple resources
Learn more about Identity Compliance.
Adaptive Multifactor Authentication
Bring your own third-party SMS Gateway
CyberArk Adaptive Multifactor Authentication now allows you to integrate a third-party SMS gateway for text message-based secondary authentication. While you can continue to use CyberArk’s default SMS gateway, you can now add a secondary telecom provider to relay authentication messages for a specific set of users, roles and groups. This allows you to use a local or preferred SMS provider for specific locations, negotiate service terms directly with telecom vendors and set up a backup SMS provider for a reliable end user experience.
Integrate your third-party SMS gateway for authentication
Learn more about third-party SMS gateway.
Personal Identity Verification (PIV) Smart Card Authentication Support
PIV is the standard method for strong authentication within the US Federal government and qualifies for the highest NIST Authentication Assurance Level (AAL3). With this release, end users can use their existing PIV cards to authenticate to any application protected by CyberArk Identity. By verifying a user’s identity with a PIV card, you can deter identity fraud and tampering while providing a seamless sign-in experience.
Select the option to sign in with your PIV card
Scan your PIV card to proceed with the authentication
RADIUS Server Selection During Authentication
Remote Authentication Dial-In User Service (RADIUS) is a protocol designed to authenticate remote users. With this feature, admins can now define a list of RADIUS servers that users can select during authentication. Previously, users could view all the available RADIUS servers and select ones they saw fit during authentication. Now, end users can select a RADIUS server from a predetermined list configured by the admin. This provides administrators more control over the end user authentication process and experience.
Admins can select the RADIUS servers available for users during authentication
Users can now select from the predefined list of RADIUS servers for authentication
Learn more about RADIUS server selection.
Single Sign-On (SSO)
OIDC Federation (Preview)
CyberArk Identity now supports external IdP authentication using the OpenID Connect (OIDC) protocol. Previously, you could only federate using the Security Assertion Markup Language (SAML) protocol. With this release, you can now configure federation with OIDC protocol to log into the CyberArk Identity SSO portal. This allows you to use authentication protocols that work with your existing identity providers and simplify the federation setup. OIDC federation is supported for tenant logins, CyberArk-hosted authentication pages and embedded authentication widgets.
Enable OIDC Federation
To enable the preview of the OIDC federation feature, please get in touch with CyberArk support.
Attribute Mapping for External Identity Provider (IdP) Federation (Preview)
You can now dynamically map a federated user’s attributes from an external IdP to Cloud Directory. With this feature, attribute changes on the external IdP side are automatically reflected in the cloud directory, which ensures the user will be federated successfully every time. This feature helps support Just in Time (JIT) provisioning by allowing users to be created and updated automatically when they log into their SSO. It also reduces IT admin workload and support costs by automatically updating attribute changes to ensure a successful user login every time.
Learn more about attribute mapping for external IdP federation.
For more information on the 23.3 release, please see the CyberArk Identity release notes.