# CyberArk User Portal Import

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FVx3vcawaXEus29CaFi0G%2FImport-Keeper-Cyberark.jpg?alt=media&#x26;token=5feb06a1-909a-4200-bad0-80848f2b5841" alt=""><figcaption></figcaption></figure>

Keeper Commander will log on to the CyberArk User Portal, retrieve Applications and Secured items, including Password items, and automatically create corresponding login records in Keeper.

```sh
keeper import --format=cyberark_portal abc1234
```

## Authentication

The import process will prompt for a username, which will be used to start the authentication process with the Cyberark Identity API. If the user is associated with another tenant, it will abort with the correct tenant in the output:

```
CyberArk User Portal username: myusername
Use mytenantname instead of abc1234 for user myusername.
```

Using the correct tenant name will allow authentication to proceed.

### CyberArk Identity Users

&#x20;If the user is a CyberArk user, then it will prompt for a password:

```
keeper import --format=cyberark_portal mytenantname
CyberArk User Portal username: myusername
CyberArk Identity Portal password: *************
```

The authentication process after that is dynamic, and in most cases will require additional factors or *challenges,* e.g., an OATH OTP Client code:

```
keeper import --format=cyberark_portal mytenantname
CyberArk User Portal username: myusername
CyberArk Identity Portal password: *************
Authentication code from OATH OTP Client: 123456
```

The import process will start once all the challenges have been completed successfully.

### Federated login (SSO)

If the user is federated, i.e., login uses an identity provider integrated with CyberArk using SAML or OpenID Connect (OIDC), then a CyberArk user with administrative privileges will need to create an *OAuth2 Client* Application for Keeper Commander in the Identity Administration portal for the import process to work.&#x20;

#### Create the CyberArk OAuth2 Client Application

1. Log in to the *CyberArk Identity Administration* portal
2. Click *Web Apps*  under *Apps & Widgets* on the left menu
3. Click the *Add Web Apps* button in the top-right
4. Click the *Add* button next to OAuth2 Client, then click the Yes button to confirm

   <figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FNENEzkPpVJhlAxdQYTVc%2Fimage.png?alt=media&#x26;token=df7f85dc-5c3c-4cf8-9279-3e7dc0260f76" alt=""><figcaption></figcaption></figure>
5. Close the Add Web Apps dialog
6. Under *Application ID,* enter KeeperCommander
7. Under Description>*Name,* enter Keeper Commander OAuth2 Client
8. Click *General Usage* on the left and select *Anything* under *Client ID Type*
9. Click the *Add* button under Allowed Redirects and add <http://localhost:38389>

   <figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F1g22W5MH9DsxNUGCG2Py%2Fimage.png?alt=media&#x26;token=08fbdbc4-9523-4c3b-8c7d-7afa4d841aa1" alt=""><figcaption></figcaption></figure>
10. Click *Tokens*  on the left, then *uncheck* Implicit

    <figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FCmfrnLBU8mdeHZOFFgIs%2Fimage.png?alt=media&#x26;token=794f8b79-3416-4856-89b3-ac9c3abd481b" alt=""><figcaption></figcaption></figure>
11. Click *Scopes*  on the left, then click the *Add* button under Authorized Scopes
12. Enter the name UPData, then click the *Add* button under Allowed REST APIs
13. Enter the REST Regex *UPRest/Get.\**

    <figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FRNt6qtIYdEfKFJopyWmr%2Fimage.png?alt=media&#x26;token=77b99ffc-7d8a-4055-882a-d5f89f1ebe0d" alt=""><figcaption></figcaption></figure>
14. .Click the *Save* button on the Authorized Scopes dialog
15. Click Permissions
16. Click the *Add* button and use the User, Group,  or Role selection dialog to permit the appropriate user(s) access to the application by adding them with the (default) *Run* and *Automatically Deploy permissions*
17. Click the *Save* button

The Status of the Keeper Commander Application should now show as "Deployed" in green.&#x20;

If it is not deployed correctly, users will receive an error response after successfully authenticating via the browser, and the import process will be aborted.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fx46LsA7I9vH8H4z65f7k%2Fimage.png?alt=media&#x26;token=076d39d4-23cc-490c-b5b1-19dbab8cdc74" alt=""><figcaption></figcaption></figure>

#### Logging via the browser

The CyberArk Identity API will send a "redirect" when the import process starts authentication with a federated user. This redirect will be followed in the user's local browser to authenticate the user and authorize the OAuth2 Client Application.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fp1d6KvJmibmU0usn2GmJ%2Fimage.png?alt=media&#x26;token=b667a45d-8f0e-4443-9e0b-5d056e3a5475" alt=""><figcaption></figcaption></figure>

After the user authenticates successfully, the import process will use the OAuth2 authorization code that the CyberArk Identity API sends back to request an "access token," at which point the authentication (and authorization) process is complete.

If the user is not permitted to use the Keeper Commander OAuth2 Client application (per step 16 above), they will get an access\_denied error response, and the process will be aborted.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FUlfSEPM1F3PLIa4XUbWs%2Fimage.png?alt=media&#x26;token=8187b5b7-1b3f-4906-a887-7275a57f6f41" alt=""><figcaption></figcaption></figure>

## Importing Items

The import process will list the *Applications* and iterate through them to create Keeper login records for each one. It will then do the same with Secured items, which include Passwords. Passwords will import as login records, and secured items will become Secure Notes.

```
Authentication successful
Importing 2 Applications:
 Application                              Username
---------------------------------------  ----------
My Network Provider | My Account         12345
NotAmazon.com • Login - myusername       myusername

Importing 2 Secured Items:
 Name
---------------
Sample password
Sample note

Import complete
```