CyberArk Privileged Access Manager
CyberArk Privileged Access Manager (PAM) protects your most sensitive accounts and credentials. Pairing it with BlokSec removes passwords from the authentication step entirely — users access the vault by approving a push notification or scanning a QR code, with authentication backed by hardware-bound cryptographic keys.
BlokSec supports two integration protocols for CyberArk PAM: OIDC and SAML 2.0. Choose whichever your environment supports — the end-user experience is identical.
Prerequisites
Section titled “Prerequisites”Before you begin, make sure you have:
- A BlokSec admin account with permission to create applications
- Administrator access to your CyberArk PVWA (Password Vault Web Access)
- At least one user with the BlokSec authenticator app installed and their account provisioned in BlokSec
OIDC integration
Section titled “OIDC integration”Create the CyberArk OIDC application
Section titled “Create the CyberArk OIDC application”- In the BlokSec admin console, go to Applications and click Add Application → Create From Template
- Select the CyberArk OIDC template
- Configure the application:
| Field | Value |
|---|---|
| Name | Any name meaningful to your organization |
| Session length | 60 minutes (default) |
| Redirect URI | https://[CyberArk_PVWA_FQDN]/PasswordVault/api/Auth/OIDC/BlokSec/Token |
- Click Save, then click Generate App Secret
- Note the Application ID and App Secret — you’ll need both in the next step
Configure OIDC authentication in PVWA
Section titled “Configure OIDC authentication in PVWA”- In your CyberArk PVWA, navigate to Administration → OIDC Authentication
- Enter the following values:
| Field | Value |
|---|---|
| Display name | Passwordless Login (customizable) |
| Provider ID | BlokSec (customizable) |
| Discovery URL | https://api.bloksec.io/oidc/.well-known/openid-configuration |
| Client ID | Application ID from BlokSec |
| Client Authentication method | Basic |
| Client Secret | App Secret from BlokSec |
| User name claim | preferred_username |
- Enable the OpenID provider and click Save
- Under AllowedReferrers, add an entry with Base URL
https://api.bloksec.io - In Configuration Options, enable the OIDC authentication method
SAML integration
Section titled “SAML integration”Create the CyberArk SAML application
Section titled “Create the CyberArk SAML application”- In the BlokSec admin console, go to Applications and click Add Application → Create From Template
- Select the CyberArk (SAML) template
- Configure the application:
| Field | Value |
|---|---|
| Assertion Consumer Service (ACS) URL | https://[resource_name]/PasswordVault/api/auth/saml/logon |
| Name ID Format | EmailAddress |
- Click Save, then download the BlokSec SAML metadata file — you’ll need it in the next step
Configure SAML authentication in PVWA
Section titled “Configure SAML authentication in PVWA”- Under AllowedReferrers, add an entry with Base URL
https://api.bloksec.io - In Configuration Options, enable the SAML authentication method
- Create a
saml.configfile from the CyberArk template and populate it with the values from the BlokSec metadata file you downloaded
Enforce passwordless-only authentication
Section titled “Enforce passwordless-only authentication”Once the integration is verified, you can require passwordless login exclusively by disabling all other authentication methods in CyberArk’s Configuration Options. This prevents users from falling back to passwords.
Verifying the integration
Section titled “Verifying the integration”- Open a private/incognito browser window
- Navigate to your CyberArk PVWA login page
- Select the BlokSec / Passwordless Login option
- Approve the sign-in on the BlokSec mobile app
- Confirm you are granted access to the vault