Postman collection for CyberArk Identity authentication

This guide helps you to test the CyberArk Identity authentication APIs using postman collection. Postman is an HTTP testing API application that allows you to monitor requests and responses.

Prerequisites

Import postman collection

Run in PostmanRun in Postman

Get started with postman collection

Once the postman collection is imported, the following variables have to be pre-filled to run the collection based on the functionality you want to try out.

13241324

The variables can be added by selecting the variables tab, as shown above.

Authentication APIs:

The below table describes the mandatory variables required for this collection.

Variable nameDescriptionPurpose
tenant_urlThe URL of the CyberArk Identity tenant (https://example.idaptive.app). The URL will be used for all API requests to CyberArk Identity.Mandatory variable required for this collection.
usernameThe username of the CyberArk Identity directory user.Mandatory variable required for this collection.
passwordThe password of the CyberArk Identity directory user.The variable is required to authenticate with password.
sq_answerThe answer to the security question asked at the time of login.The variable is required to authenticate with security question.
email_otpThe one time password sent to the email address of the user at the time of login.The variable is required to authenticate with email address.
sms_otpThe one time password sent to the registered mobile number of the user at the time of login.The variable is required to authenticate with SMS.
oath_otpThe time-based one time password generated by the OATH OTP clientThe variable is required to authenticate with OATH OTP.
qr_session_idThe session ID can be retrieved from the QR code displayed by the CyberArk Identity's login screen. This session ID should be used by the QR code authenticator to submit QR codeThe variable is required to authenticate with QR code.
fido2_security_idThe credential ID generated by the FIDO2 authenticatorThe variable is required to authenticate either with FIDO2 security key or on-device authenticator.
fido2_raw_idThe ArrayBuffer contained in the [[identifier]] internal slot.The variable is required to authenticate either with FIDO2 security key or on-device authenticator.
fido2_challengeThe challenge used for generating the newly created credential’s attestation object. This challenge can be generated using the /U2f/GetRegistrationChallenge APIThe variable is required to authenticate either with FIDO2 security key or on-device authenticator.
fido2_authenticator_typeThe FIDO2 authenticator type can either be "SECURITYKEY" for FIDO2 security key or "ONDEVICEAUTHENTICATOR" for on-device authenticator.The variable is required to authenticate either with FIDO2 security key or on-device authenticator.
fido2_attestation_objectThe attestation object that contains authenticator data and attestation statement.The variable is required to authenticate either with FIDO2 security key or on-device authenticator.
fido2_client_dataThis attribute, inherited from AuthenticatorResponse, contains the JSON-compatible serialization of client dataThe variable is required to authenticate either with FIDO2 security key or on-device authenticator.

Step-up authentication:

CyberArk Identity provides step-up authentication to protect sensitive apps with additional MFA challenges. This can be done by adding policies to the web apps as shown below:

11291129

The postman collection provides a collection for step-up authentication. To initiate the step-up authentication, a challenge ID is required for the additional challenge. The "/Security/ChallengeUser" API can be used to generate the challenge ID. This API takes the below parameter as input:

Variable nameDescription
authentication_profile_nameThe name of the authentication profile that is added to the app policy.

Once the challenge ID is generated it can be passed to the "/Security/StartChallenge" API.