CyberArk Identity uses OAuth 2.0 access tokens to authenticate API requests.
You acquire access tokens on behalf of CyberArk Identity users by calling /Security/StartAuthentication. Clients requiring access to resources outside of a specific user's context should use the client credentials flow instead.
To identify the user being authenticated, CyberArk Identity needs their User identifier and TenantId.
Advance authentication
/Security/StartAuthentication initiates the user's authentication process. If the user exists, the response contains a Summary of either LoginSuccess or NewPackage.
You receive LoginSuccess when the request includes an .ASPXAUTH cookie from prior successful authentication. Otherwise, NewPackage responses contain an authentication package consisting of one or two challenges the user must answer.
Each challenge must be completed using an MFA mechanism. Mechanisms can be either in-band or out-of-band (OOB). You collect in-band mechanism responses, such as passwords, directly from the user. Users must interact with out-of-band mechanisms, such as SMS codes, from outside of your app.
You should complete authentication by calling /Security/AdvanceAuthentication sequentially for each mechanism the user chooses to answer.
Federated users
When you specify a User associated with a SAML or OIDC-based federation, then the response contains a redirect to the external IdP.