Skip to content

Authenticators

An authenticator provides the ability to authenticate to a CyberArk Identity Security Platform (ISP) resource. The authentication is based on authentication profiles, where the authentication profile defines the authentication method and its associated settings.

Here's an example of how to initialize and use an authenticator:

1
2
3
4
5
6
7
8
9
package main

import (
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
)

func main() {
    ispAuth := auth.NewIdsecISPAuth(false)
}

Note

When you call the constructor, you can determine whether or not the authentication credentials are cached.

Authenticators have a base authenticate method that receives a profile as an input and returns an auth token. Additionally, the IdsecISPAuth class exposes functions to retrieve a profile's authentication methods and settings. Although the returned token can be used as a return value, it can normally be ignored as it is saved internally.

These are the different types of authenticator types and auth methods:

Authenticator types

Two authenticator types are supported, both derived from the IdsecAuth interface:

  • IdsecISPAuth – for CyberArk Identity Security Platform (ISP / cloud). Accepts the Identity (default) and IdentityServiceUser auth methods.
  • IdsecPVWAAuth – for self-hosted CyberArk PVWA (Password Vault Web Access). Accepts the PVWA auth method and authenticates via the PVWA REST API (/PasswordVault/API/auth/{method}/Logon). Use auth.NewIdsecPVWAAuth(cacheAuthentication).

Auth methods

  • Identity (identity) - Identity authentication to a tenant or to an application within the Identity tenant, used with the IdentityIdsecAuthMethodSettings class
  • IdentityServiceUser (identity_service_user) - Identity authentication with a service user, used with IdentityServiceUserIdsecAuthMethodSettings class
  • PVWA (pvwa) - PVWA username/password authentication for self-hosted CyberArk, used with PVWAIdsecAuthMethodSettings (PVWAURL, PVWALoginMethod: cyberark, ldap, or windows)
  • Direct (direct) - Direct authentication to an endpoint, used with the DirectIdsecAuthMethodSettings class
  • Default (default) - Default authenticator auth method for the authenticator
  • Other (other) - For custom implementations

See idsec_auth_method.go for more information about auth methods.

SDK authenticate example

ISP

Here is an example authentication flow that implements the IdsecISPAuth class:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package main

import (
    "fmt"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/services/identity"
    "os"
)

func main() {
    ispAuth := auth.NewIdsecISPAuth(false)
    _, err := ispAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:           "user@cyberark.cloud.12345",
            AuthMethod:         authmodels.Identity,
            AuthMethodSettings: &authmodels.IdentityIdsecAuthMethodSettings{},
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
    identityAPI, err := identity.NewIdsecIdentityAPI(ispAuth.(*auth.IdsecISPAuth))
}

The example above initializes an instance of the IdsecISPAuth class and authenticates to the specified ISP tenant, using the Identity authentication type with the provided username and password.

The authenticate method returns a token, which can usually be ignored because it is stored internally.

After authenticating, the authenticator can be used to access the required services.

PVWA

Here is an example authentication flow that implements the IdsecPVWAAuth class:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
package main

import (
    "github.com/cyberark/idsec-sdk-golang/pkg/auth"
    "github.com/cyberark/idsec-sdk-golang/pkg/auth/pvwa"
    authmodels "github.com/cyberark/idsec-sdk-golang/pkg/models/auth"
    "os"
)

func main() {
    pvwaAuth := auth.NewIdsecPVWAAuth(false)
    _, err := pvwaAuth.Authenticate(
        nil,
        &authmodels.IdsecAuthProfile{
            Username:   "admin",
            AuthMethod: authmodels.PVWA,
            AuthMethodSettings: &authmodels.PVWAIdsecAuthMethodSettings{
                PVWAURL:         "https://pvwa.example.com",
                PVWALoginMethod: authmodels.PVWALoginMethodCyberArk,
            },
        },
        &authmodels.IdsecSecret{
            Secret: os.Getenv("IDSEC_SECRET"),
        },
        false,
        false,
    )
    if err != nil {
        panic(err)
    }
}

The example above initializes an instance of the IdsecPVWAAuth class and authenticates to the specified PVWA instance, using the PVWA authentication type with the provided username, password, PVWA URL, and login method (cyberark, ldap, or windows).

The authenticate method returns a token, which can usually be ignored because it is stored internally.

After authenticating, the authenticator can be used to access the required services.