Postman collection for CyberArk Identity authentication
This guide helps you to test the CyberArk Identity authentication APIs using postman collection. Postman is an HTTP testing API application that allows you to monitor requests and responses.
Prerequisites
- Install postman from https://www.postman.com/downloads/
- Get access to CyberArk Identity tenant
- Create a user in CyberArk Identity.
- Create a role and add the users to the role.
- Setup an [Authentication Profile].
- Create a Policy and assign a role to the policy.
- Ensure that the user has enrolled in the appropriate MFA.
Import postman collection
Get started with postman collection
Once the postman collection is imported, the following variables have to be pre-filled to run the collection based on the functionality you want to try out.
The variables can be added by selecting the variables tab, as shown above.
Authentication APIs:
The below table describes the mandatory variables required for this collection.
| Variable name | Description | Purpose |
|---|---|---|
| tenant_url | The URL of the CyberArk Identity tenant (https://example.idaptive.app). The URL will be used for all API requests to CyberArk Identity. | Mandatory variable required for this collection. |
| username | The username of the CyberArk Identity directory user. | Mandatory variable required for this collection. |
| password | The password of the CyberArk Identity directory user. | The variable is required to authenticate with password. |
| sq_answer | The answer to the security question asked at the time of login. | The variable is required to authenticate with security question. |
| email_otp | The one time password sent to the email address of the user at the time of login. | The variable is required to authenticate with email address. |
| sms_otp | The one time password sent to the registered mobile number of the user at the time of login. | The variable is required to authenticate with SMS. |
| oath_otp | The time-based one time password generated by the OATH OTP client | The variable is required to authenticate with OATH OTP. |
| qr_session_id | The session ID can be retrieved from the QR code displayed by the CyberArk Identity's login screen. This session ID should be used by the QR code authenticator to submit QR code | The variable is required to authenticate with QR code. |
| fido2_security_id | The credential ID generated by the FIDO2 authenticator | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
| fido2_raw_id | The ArrayBuffer contained in the [[identifier]] internal slot. | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
| fido2_challenge | The challenge used for generating the newly created credential’s attestation object. This challenge can be generated using the /U2f/GetRegistrationChallenge API | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
| fido2_authenticator_type | The FIDO2 authenticator type can either be "SECURITYKEY" for FIDO2 security key or "ONDEVICEAUTHENTICATOR" for on-device authenticator. | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
| fido2_attestation_object | The attestation object that contains authenticator data and attestation statement. | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
| fido2_client_data | This attribute, inherited from AuthenticatorResponse, contains the JSON-compatible serialization of client data | The variable is required to authenticate either with FIDO2 security key or on-device authenticator. |
Step-up authentication:
CyberArk Identity provides step-up authentication to protect sensitive apps with additional MFA challenges. This can be done by adding policies to the web apps as shown below:
The postman collection provides a collection for step-up authentication. To initiate the step-up authentication, a challenge ID is required for the additional challenge. The "/Security/ChallengeUser" API can be used to generate the challenge ID. This API takes the below parameter as input:
| Variable name | Description |
|---|---|
| authentication_profile_name | The name of the authentication profile that is added to the app policy. |
Once the challenge ID is generated it can be passed to the "/Security/StartChallenge" API.
Updated about 2 months ago