CyberArk User Portal Import

Migrating CyberArk User Portal Applications and Secured items to Keeper

Keeper Commander will log on to the CyberArk User Portal, retrieve Applications and Secured items, including Password items, and automatically create corresponding login records in Keeper.

keeper import --format=cyberark_portal abc1234

Authentication

The import process will prompt for a username, which will be used to start the authentication process with the Cyberark Identity API. If the user is associated with another tenant, it will abort with the correct tenant in the output:

CyberArk User Portal username: myusername
Use mytenantname instead of abc1234 for user myusername.

Using the correct tenant name will allow authentication to proceed.

CyberArk Identity Users

If the user is a CyberArk user, then it will prompt for a password:

keeper import --format=cyberark_portal mytenantname
CyberArk User Portal username: myusername
CyberArk Identity Portal password: *************

The authentication process after that is dynamic, and in most cases will require additional factors or challenges, e.g., an OATH OTP Client code:

keeper import --format=cyberark_portal mytenantname
CyberArk User Portal username: myusername
CyberArk Identity Portal password: *************
Authentication code from OATH OTP Client: 123456

The import process will start once all the challenges have been completed successfully.

Federated login (SSO)

If the user is federated, i.e., login uses an identity provider integrated with CyberArk using SAML or OpenID Connect (OIDC), then a CyberArk user with administrative privileges will need to create an OAuth2 Client Application for Keeper Commander in the Identity Administration portal for the import process to work.

Create the CyberArk OAuth2 Client Application

  1. Log in to the CyberArk Identity Administration portal

  2. Click Web Apps under Apps & Widgets on the left menu

  3. Click the Add Web Apps button in the top-right

  4. Click the Add button next to OAuth2 Client, then click the Yes button to confirm

  5. Close the Add Web Apps dialog

  6. Under Application ID, enter KeeperCommander

  7. Under Description>Name, enter Keeper Commander OAuth2 Client

  8. Click General Usage on the left and select Anything under Client ID Type

  9. Click the Add button under Allowed Redirects and add http://localhost:38389

  10. Click Tokens on the left, then uncheck Implicit

  11. Click Scopes on the left, then click the Add button under Authorized Scopes

  12. Enter the name UPData, then click the Add button under Allowed REST APIs

  13. Enter the REST Regex UPRest/Get.*

  14. .Click the Save button on the Authorized Scopes dialog

  15. Click Permissions

  16. Click the Add button and use the User, Group, or Role selection dialog to permit the appropriate user(s) access to the application by adding them with the (default) Run and Automatically Deploy permissions

  17. Click the Save button

The Status of the Keeper Commander Application should now show as "Deployed" in green.

If it is not deployed correctly, users will receive an error response after successfully authenticating via the browser, and the import process will be aborted.

Logging via the browser

The CyberArk Identity API will send a "redirect" when the import process starts authentication with a federated user. This redirect will be followed in the user's local browser to authenticate the user and authorize the OAuth2 Client Application.

After the user authenticates successfully, the import process will use the OAuth2 authorization code that the CyberArk Identity API sends back to request an "access token," at which point the authentication (and authorization) process is complete.

If the user is not permitted to use the Keeper Commander OAuth2 Client application (per step 16 above), they will get an access_denied error response, and the process will be aborted.

Importing Items

The import process will list the Applications and iterate through them to create Keeper login records for each one. It will then do the same with Secured items, which include Passwords. Passwords will import as login records, and secured items will become Secure Notes.

Authentication successful
Importing 2 Applications:
 Application                              Username
---------------------------------------  ----------
My Network Provider | My Account         12345
NotAmazon.com • Login - myusername       myusername

Importing 2 Secured Items:
 Name
---------------
Sample password
Sample note

Import complete
PreviousCyberArk ImportNextLastPass Data Import

Last updated

Was this helpful?