CyberArk

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Configure Connection

To add and configure app properties for the Vasion Print connection, do the following:

  1. Create the CyberArk App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add Vasion Print Admins.

1. Create the CyberArk App

  1. In your preferred browser, log in to your CyberArk portal.

  2. Select Apps & Widgets, and then select Web Apps.

    CyberArk portal showing expanded Apps & Widgets menu and Web Apps option.

  3. On the Web Apps screen, select Add Web Apps in the upper-right corner.
  4. In the Search tab, search for and select the PrinterLogic app.

  5. Select Add.

    CyberArk portal showing Search tab with PrinterLogic app result.

  6. In the Add Web App modal, select Yes to add the app.
  7. Close the Add Web Apps modal.
  8. Name your app, and select Save.
  9. Leave the current browser open on the new app screen for the following steps.

CyberArk portal showing Settings screen for new app.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

When configuring this IdP through Vasion Print, select the Custom option from the IdP Template dropdown menu.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, if you are using Systems for Cross-domain Identity Management (SCIM), leave the JIT option deselected.

    By default, the Admin Console assumes that you are using SCIM for provisioning. Only select JIT if you are not using SCIM.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. In the CyberArk app, select Trust from the side menu.
  2. In the Identity Provider Configuration section, select Manual Configuration.
  3. Copy the CyberArk Sign In URL, and paste it in the Vasion Print Admin Console SSO URL.
  4. Copy the CyberArk Issuer URL, and paste it in the Admin Console Issuer URL field.

  5. Cut the numerical portion (after app/) from the Issuer URL, and paste it in the Admin Console Issuer ID field.

    Issuer URL example: https://abc1234.my.idaptive.app/, Issuer ID: a1b2cd34-fb1f-4f71-9248-8675309d/

  6. Return to the CyberArk app, scroll down to the Service Provider Configuration section, and select Manual Configuration.
  7. Copy the Admin Console Identifier (Entity ID) URL, and paste it in the CyberArk SP Entity ID/ SP Issuer/Audience field.
  8. Copy the Admin Console Reply Url (ACS), and paste it in the CyberArk Assertion Consumer Service (ACS) URL field.
  9. In the CyberArk Recipient section, select the checkbox for Same as ACS URL.
  10. In the Sign Response or Assertion field, select Assertion.
  11. Copy the Admin Console Relay State URL, and paste it in the CyberArk Relay State field.
  12. Select Save in the CyberArk app.

CyberArk app showing Trust tab and Manual Configuration section with different URLs.

4. Add the X-509 Certificate

  1. Return to the Identity Provider Configuration section in the CyberArk app, and expand the Signing certificate section.
  2. Select Download.
  3. Open the file in your preferred text editor.

  4. Copy the certificate body, including the Begin / End headers, and paste it in the X-509 Certificate field in the Vasion Print Admin Console.

    Security Assertion Markup Language (SAML) certificate in Notepad showing body of content selected, including beginning and ending certificate lines.

  5. Select Apply in the Admin Console.
  6. Select Save in the upper-right corner of the General settings.

IdP Settings showing X-509 Certificate and other fields configured.

5. Complete IdP Settings

  1. In the General settings of the Vasion Print Admin Console, navigate to the Identity Provider Settings section.

  2. To have Vasion Print prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using Systems for Cross-domain Identity Management (SCIM) or Just-in-Time (JIT) provisioning. Choose the appropriate option below to view the corresponding steps.

SCIM Provisioning

Enable SCIM Provisioning

  1. In the CyberArk app, select Provisioning from the side menu.
  2. Select the checkbox for Enable provisioning for this application, and then select Yes.
  3. Select Live Mode.
  4. In the Vasion Print Admin Console, select IdP and then select Modify.

  5. In the IdP Settings modal, copy the SCIM Tenant URL from the Service Provider Information section, and then paste it in the CyberArk SCIM Service URL field.

  6. In the CyberArk Authorization Type section, select Authorization Header. For the header type, select Bearer Token.
  7. Close the Admin Console IdP Settings modal.

CyberArk app showing Provisioning tab with SCIM Service URL field completed.

Generate a SCIM Token

  1. In the Vasion Print General settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration from the dropdown menu.

  3. Select Generate SCIM Token.

    Identity Provider Settings section showing SCIM option with IdP selected from dropdown menu and Generate SCIM Token button to right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Copy the token, close the modal, and select Save in the upper-right corner of the General settings.
  5. Paste the token in the CyberArk Bearer Token field.
  6. Select the Verify button to ensure communication.
  7. In the Sync Options section, enable the settings below:
    • Sync (overwrite) users to target application when existing users are found with the same principal name.
    • Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role.
    • Sync groups from local directory to target application (this option overrides any destination group selection in Role Mappings).
    • Disable user.
    • Deprovision (deactivate or delete) users in this application when they are disabled in the source directory.
  8. Select Save in the CyberArk app.

CyberArk app showing Provisioning tab, Verify button, and Sync Options section.

Add Roles & Users

  1. In the CyberArk portal, select Core Services and then Roles from the side menu.

    CyberArk portal showing expanded Core Services menu and Role option.

  2. Select Add Role.
  3. Name the role Vasion Admin.
    1. (Optional): Add a description and organization.
  4. Set the Role Type to Static.
  5. Select Save.
  6. From the side menu, select Members.
  7. Add any users that should have admin rights in Vasion Print to this role.
  8. From the side menu, select Assigned Applications.
  9. Select Add, and then locate and add the app that you created.
  10. Select Save.

CyberArk portal showing Roles modal and Description section.

Map the Role

  1. Navigate to the CyberArk app, and select the Provisioning tab.
  2. In Role Mappings, select Add.
  3. Select Vasion Admin from the Role dropdown menu.
  4. In the Destination Group section, select Add and Vasion Admin.
  5. Select Done.
  6. Select Save.

CyberArk app showing Provisioning tab and roles.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

7. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.