All Collections
Authentication Guides
CyberArk - How do I link my account?
CyberArk - How do I link my account?

How to link your CyberArk account to Merge

Matthew Ho avatar
Written by Matthew Ho
Updated over a week ago


To authenticate CyberArk, you will need to provide the following information:

  • Tenant URL

  • OAuth Client Application ID

  • Client ID

  • Client Secret

This guide will walk you through finding or creating those credentials within CyberArk.


Please ensure you fulfill all the requirements to set up the integration:

  • You are an Administrator in your company's CyberArk instance, or someone has shared their access with you.


Step 1: Log in to your CyberArk Admin Portal

  1. Log in to your CyberArk portal via your organization’s tenant URL. The portal home page should look something like this:

  2. Switch to the admin portal view by clicking on the grid symbol next to “Identity User Portal” and selecting “Admin Portal

  3. Now your web page’s top left corner should look like this:

Step 2: Create a SCIM client role

  1. Navigate to “Core Services” > “Roles”:

  2. Click “Add Role” in the top left corner

  3. Name your role “SCIM Client” and click “Save”. You will be automatically redirected to the settings page for the new role

  4. Under “Administrative Rights,” click “Add,” search for/select “User Management”, and click “Save

    Note that you need to select “User Management”, not “Read Only User Management”

  5. Click “Save

Step 3: Create a custom OAuth client

  1. Navigate to “Apps & Widgets” > “Web Apps”:

  2. Click “Add Web Apps” in the top right corner

  3. On the Custom tab, next to the ”OAuth2 Client” entry, click ”Add:

  4. In the Add Web App screen, click ”Yes” to add the application

  5. Click the “Close” button of the “Add Web Apps” modal. You will be redirected to a screen for configuring your OAuth2 client

  6. On the Settings page, complete the following fields:

    • Application ID: any arbitrary value you choose, e.g. scim_oauth_client

      • This is a unique key used to build the OAuth2 endpoint URL

      • This is the Application ID that must be entered during the linking flow

  7. On the General Usage page, complete the following fields to specify the types of credentials that can be used to authorize with this server:

    • Client ID Type: Check the boxes “Confidential” and “Must be OAuth Client”

  8. On the Tokens page, complete the following fields:

    • Token Type: JwtRS256

    • Auth methods: Client Creds

    • Access token lifetime: 5 hours

  9. On the Scope page, click Add and create a new scope as follows:

    • Name: SCIMAPIScope

    • Allowed REST APIs:

      • click Add

      • add an entry with the text "scim"

    Note: Please enter these fields exactly as shown

  10. On the Permissions page, add the SCIM client role that we set up in Step 2 and make sure the Run permission box is checked

  11. Click Save at the bottom of the page

Step 4: Create a CyberArk service user

  1. Navigate to “Core Services” > “Users

  2. Click “Add User” in the top right corner

  3. Complete the following fields:

    • Login name

      • This field, combined with the @ symbol and chosen suffix, will become your username and Client ID. In the below example, that full value is “CLIENT_ID_PREFIX@merge”

    • Display name (set to whatever you want)

    • Password (this field will become your password and Client Secret)

    • Check the box under the “Status” section labeled “Is OAuth confidential client”. Upon clicking this box, you should see the email field grayed out, and the “is service user” box checked automatically

  4. Navigate back to “Core Services” > “Roles” and open the SCIM client role we created in Step 2

  5. Under the “Members” section, click “Add” and then add your newly created user

  6. Click “Save

Step 5: Enter information in the linking flow

  1. Back in the linking flow, enter the URL used to log into the CyberArk portal

  2. Next, enter the Application ID you created from step 3.6 above

  3. On the following page, enter your Client ID and Secret/password from step 4.3

Did this answer your question?