 Complete Guide – Architecture, Security, User Provisioning & Identity Governance.png)
Modern cybersecurity is no longer limited to protecting servers, endpoints, or applications. In 2026, identity has become the new security perimeter. Organizations must continuously secure users, applications, cloud services, privileged accounts, APIs, workloads, and machine identities across hybrid infrastructures.
This is where the combination of CyberArk and SailPoint delivers one of the most powerful identity security and governance ecosystems available today.
CyberArk Identity Administration provides centralized administration and authentication services for CyberArk SaaS solutions, while SailPoint enables enterprise-grade Identity Governance and Administration (IGA). Together, these platforms help organizations automate provisioning, enforce governance, improve compliance, and strengthen security controls across enterprise environments.
In this detailed guide, you will learn:
▪ What is CyberArk Identity Administration
▪ CyberArk Identity Security Platform Shared Services (ISPSS)
▪ Identity Administration architecture and workflows
▪ Security fundamentals and MFA best practices
▪ Identity Connector deployment requirements
▪ User provisioning models
▪ Service users and role-based access
▪ SailPoint SCIM integration with CyberArk
▪ OAuth2 configuration and bearer token creation
▪ SCIM provisioning workflows
▪ Real-world enterprise implementation scenarios
▪ Security best practices for Identity Governance
CyberArk Identity Administration is the centralized identity management and provisioning component of CyberArk Identity Security Platform Shared Services (ISPSS).
It provides a unified interface to:
▪ Provision users
▪ Configure authentication
▪ Manage identity lifecycle
▪ Apply role-based access control
▪ Configure MFA and passwordless authentication
▪ Generate audit and security reports
▪ Manage access to CyberArk SaaS services
Identity Administration acts as the core identity layer for CyberArk’s cloud ecosystem.
CyberArk Identity Security Platform Shared Services is a unified SaaS administration platform that integrates multiple CyberArk security solutions.
The Shared Services platform currently integrates with:
▪ CyberArk Privilege Cloud
▪ Dynamic Privileged Access
▪ Cloud Entitlements Manager
▪ Identity Administration
The platform provides:
▪ Centralized user administration
▪ Unified authentication controls
▪ Role-based access management
▪ Single Sign-On (SSO)
▪ Multi-Factor Authentication (MFA)
▪ Lifecycle management
▪ Cross-platform audit visibility
This centralized approach improves operational efficiency and simplifies enterprise identity governance.
Learn more about CyberArk architecture here:👉 CyberArk Privilege Cloud Complete Guide 2026
Identity attacks are now one of the biggest cybersecurity threats globally.
Attackers commonly target:
▪ Privileged accounts
▪ Cloud identities
▪ Session tokens
▪ MFA workflows
▪ Password reset mechanisms
▪ Identity providers
CyberArk Identity Administration helps organizations mitigate these threats through centralized identity security controls.
Key benefits include:
▪ Strong MFA enforcement
▪ Passwordless authentication
▪ Role-based authorization
▪ Identity lifecycle automation
▪ Unified audit visibility
▪ Compliance reporting
▪ Risk reduction across SaaS services
CyberArk strongly recommends implementing layered security controls to protect identity infrastructure.
The platform follows modern identity security principles aligned with:
▪ Zero Trust Security
▪ NIST recommendations
▪ Least Privilege Access
▪ Strong MFA enforcement
▪ Identity verification workflows
MFA is one of the most critical controls for protecting identities.
CyberArk recommends enabling MFA for:
▪ VPN access
▪ Identity Administration portals
▪ Server logins
▪ Workstation authentication
▪ Sensitive applications
▪ Privileged account access
Recommended authentication methods include:
▪ FIDO2 hardware keys
▪ Passkeys
▪ Biometrics
▪ Mobile push authentication
▪ MFA number matching
CyberArk also supports passwordless authentication to reduce credential theft risks.
Strong password policies complement MFA protections.
CyberArk recommends:
▪ Passwords longer than 12 characters
▪ Complex passphrases
▪ Unique passwords per system
▪ Password expiration within 90 days
▪ Avoiding reused passwords
▪ Enterprise-grade password managers
Poor password hygiene remains one of the largest attack vectors in identity compromise.
Session hijacking remains a major threat in cloud environments.
CyberArk recommends:
▪ Restricting session duration
▪ Configuring short inactivity timeouts
▪ Monitoring session anomalies
▪ Applying session protection policies
Sessions should generally not exceed 12 hours.
One of the most important security principles is minimizing administrative access.
Organizations should:
▪ Reduce the number of privileged administrators
▪ Create role-specific permissions
▪ Use read-only roles where possible
▪ Separate administrative duties
▪ Use approval workflows for elevated access
This significantly reduces the attack surface.
The Identity Connector enables integration between on-premises identity systems and CyberArk cloud services.
It supports:
▪ Active Directory integration
▪ LDAP integration
▪ User synchronization
▪ Password management
▪ Authentication services
▪ Lifecycle management
The connector acts as a bridge between enterprise infrastructure and CyberArk cloud services.
CyberArk recommends deploying at least two connectors for redundancy.
Minimum requirements include:
▪ Windows Server 2016 or later
▪ 8 GB RAM
▪ 2-core CPU
▪ Internet connectivity
▪ .NET Framework 4.5 or later
Best practices include:
▪ Avoid installing on Domain Controllers
▪ Harden the server using CIS benchmarks
▪ Install antivirus protection
▪ Restrict unnecessary network protocols
▪ Protect local administrator accounts
Connector hardening is critical for securing identity infrastructure.
Recommended controls include:
▪ Endpoint hardening
▪ PAM controls for administrative access
▪ Windows patch management
▪ Removal of unnecessary server roles
▪ Restriction of inbound traffic
▪ Secure RADIUS configurations
▪ Anti-malware protection
Identity infrastructure should always be treated as a Tier-0 security asset.
Identity Administration supports two major user types.
Interactive Users
Interactive users access:
▪ User Portal
▪ Shared CyberArk services
▪ SaaS applications
Users can authenticate through:
▪ Active Directory
▪ LDAP
▪ Microsoft Entra ID
▪ Google Workspace
▪ SAML-based Identity Providers
Service Users
Service users are designed for:
▪ API integrations
▪ Automation workflows
▪ SCIM provisioning
▪ Machine-to-machine communication
Service users:
▪ Cannot access the User Portal
▪ Typically bypass MFA
▪ Operate with least privilege access
▪ Support OAuth2 authentication
Roles determine which CyberArk services and permissions users can access.
Administrators can:
▪ Assign users to roles
▪ Configure service-level permissions
▪ Apply least privilege models
▪ Restrict administrative functions
Users must belong to at least one role before accessing services.
A typical CyberArk provisioning workflow includes:
▪ Preparing deployment prerequisites
▪ Receiving tenant onboarding details
▪ Configuring Identity Administration
▪ Installing Identity Connector
▪ Integrating external directories
▪ Configuring MFA
▪ Assigning roles
▪ Inviting users to services
This creates a centralized identity governance workflow.
Before onboarding users, organizations must:
▪ Collect ISPSS tenant details
▪ Configure InstallerUser credentials
▪ Validate server prerequisites
▪ Configure network and firewall rules
▪ Prepare Active Directory permissions
This ensures smooth deployment and integration.
InstallerUser is a built-in Identity Administration account used for connector installation.
Important notes:
▪ Password expires every 24 hours
▪ Full login name format is required
▪ Only alphanumeric passwords are recommended
▪ Used during connector installation workflows
This improves security during deployment operations.
All CyberArk Identity Administration communications are outbound only.
Required outbound connectivity includes:
▪ TCP 443
▪ TCP 80 for certificate validation services
Organizations should avoid:
▪ Deep packet inspection of SSL traffic
▪ Blocking CyberArk cloud domains
▪ Restricting certificate validation endpoints
Proper network configuration is essential for reliable connector operations.
One of the most powerful capabilities in modern identity governance is SCIM provisioning integration between SailPoint and CyberArk.
SCIM (System for Cross-domain Identity Management) enables automated synchronization between identity governance platforms and target systems.
Learn more about SailPoint Identity Security Cloud here:
👉 SailPoint Identity Security Cloud User Guide 2026
And compare IIQ vs ISC here:
👉 SailPoint IdentityIQ vs Identity Security Cloud (ISC) – Complete Comparison 2026
SCIM integration enables SailPoint to provision:
▪ Users
▪ Groups
▪ Group memberships
▪ Safes
▪ Safe permissions
▪ Privileged account data
This allows centralized identity governance using SailPoint while leveraging CyberArk privileged access controls.
The SCIM integration begins by creating a service user.
This service user acts on behalf of SailPoint when sending provisioning requests to Identity Administration.
Configuration includes:
▪ Creating the user
▪ Enabling OAuth confidential client mode
▪ Configuring password policies
▪ Assigning service-user permissions
The next step involves assigning administrative rights through roles.
Required permissions may include:
▪ Role management
▪ User management
▪ Vault management
These permissions depend on the CyberArk solution being integrated.
The OAuth2 Client App enables secure API authentication.
Configuration includes:
▪ JWT token settings
▪ Client Credentials grant type
▪ SCIM API scopes
▪ Automatic deployment permissions
OAuth2 secures API communication between SailPoint and CyberArk.
Bearer tokens are used by SailPoint to authenticate SCIM API requests.
The token includes:
▪ Client ID
▪ Client Secret
▪ Access permissions
▪ Token expiration policies
Organizations should rotate bearer tokens regularly for security.
The provisioning process typically follows this sequence:
▪ SailPoint detects identity changes
▪ SCIM API request is generated
▪ Identity Administration validates the request
▪ User/group updates are processed
▪ CyberArk services receive updated identities
This creates automated identity lifecycle management.
The combined solution delivers:
▪ Automated identity governance
▪ Centralized privileged access management
▪ Reduced manual provisioning effort
▪ Faster onboarding and offboarding
▪ Improved compliance reporting
▪ Better audit visibility
▪ Stronger identity security posture
This is especially valuable for enterprise-scale environments.
Organizations integrating SailPoint with CyberArk PAM solutions should understand the differences between deployment models.
Read more here:
👉 Difference Between CyberArk Privilege Cloud and PAM Self-Hosted
And here:
👉 CyberArk Secure Infrastructure Access (SIA) vs PSM Complete Guide
CyberArk Identity Administration provides centralized monitoring capabilities.
Organizations should monitor:
▪ Authentication attempts
▪ Failed logins
▪ Provisioning activity
▪ API usage
▪ MFA enrollment status
▪ Suspicious behavior patterns
Logs should also be forwarded to SIEM platforms such as Splunk.
For successful implementation:
▪ Use MFA everywhere possible
▪ Enforce least privilege access
▪ Harden Identity Connector servers
▪ Monitor provisioning logs regularly
▪ Review policy assignments carefully
▪ Test SCIM integrations before production rollout
▪ Rotate bearer tokens periodically
▪ Use passwordless authentication where possible
Identity security should always be treated as a continuous process.
If you want hands-on experience with CyberArk Privilege Cloud, Identity Administration, SCIM provisioning, and enterprise PAM deployments, explore the following training:
👉 CyberArk Privilege Cloud Self-Paced Online Training
CyberArk Identity Administration combined with SailPoint Identity Governance creates a powerful enterprise identity security ecosystem capable of managing both standard and privileged identities across hybrid infrastructures.
By integrating SCIM provisioning, OAuth2 authentication, centralized governance, MFA enforcement, and automated lifecycle management, organizations can significantly strengthen their cybersecurity posture while improving operational efficiency.
As identity attacks continue to rise in 2026, enterprises must adopt modern identity governance and privileged access management solutions to secure users, applications, cloud environments, APIs, and machine identities.
Organizations implementing CyberArk and SailPoint together gain:
▪ Stronger identity governance
▪ Centralized privileged access security
▪ Automated provisioning workflows
▪ Reduced compliance risk
▪ Improved operational efficiency
▪ Enhanced visibility across identities and access
Identity security is no longer optional. It is now the foundation of enterprise cybersecurity.
Your email address will not be published. Required fields are marked*
May 29 2026
 Complete Guide – IdentityIQ, Identity Security Cloud (ISC), Certification, Architecture & Career Roadmap.png)
May 27 2026
 Complete Getting Started Guide – Architecture, Configuration & Real-World Implementation.png)
May 26 2026
 – Complete Comparison 2026.png)
May 24 2026
May 22 2026
May 21 2026
 vs Privileged Session Manager (PSM) Complete 2026 Guide.png)
May 20 2026
May 19 2026
.png)
May 18 2026
.png)
May 17 2026
 The Complete Beginner to Advanced Guide to Ethical Hacking.png)
May 15 2026
May 15 2026
May 14 2026
 by SecApps Learning.png)
May 14 2026
May 13 2026
 (1).png)
May 12 2026
.png)
May 11 2026
May 10 2026
May 10 2026
May 08 2026
.png)
May 07 2026
.png)
May 06 2026
.png)
May 06 2026
 Complete Guide (2026).png)
May 05 2026
.png)
May 05 2026
 (1).png)
May 04 2026
.png)
May 03 2026
.png)
May 01 2026
.png)
May 01 2026
.png)
April 30 2026
.png)
April 29 2026
.png)
April 28 2026
.png)
April 27 2026
 System Health, Safe Management, Platform & Master Policy Explained.png)
April 26 2026
April 20 2026
.png)
April 19 2026
.png)
April 17 2026
.png)
April 16 2026
.png)
April 15 2026
April 14 2026
April 10 2026
April 09 2026
April 08 2026
April 07 2026
July 31 2025
May 01 2026
December 26 2024
December 15 2024
.jpeg)
December 08 2024
May 01 2026
October 29 2024
October 19 2024
October 15 2024
October 07 2024
September 30 2024
September 23 2024
September 16 2024
May 04 2026
August 27 2024
August 27 2024
August 21 2024
August 19 2024
May 01 2026
May 10 2024
May 08 2024
May 01 2026
April 30 2024
.jpg)
April 29 2024
April 25 2024
April 22 2024
April 12 2024
April 05 2024
March 30 2024
May 01 2026
March 27 2024
March 27 2024
March 11 2024
March 07 2024
February 29 2024
.jpg)
May 01 2026
January 24 2024
January 20 2024
January 20 2024
January 20 2024
January 20 2024
January 03 2024
January 03 2024
January 03 2024
January 03 2024
Copyright 2022 SecApps Learning. All Right Reserved
Comments ()