⚠️ Administrator Required: These steps must be performed by a CyberArk Identity administrator.
Step 1: Configure Security Settings
- Log into your CyberArk Identity tenant as an administrator
- Navigate to Settings → Authentication → Security Settings
- In the "Specify Trusted DNS Domains for API Calls" section, add:
export.cybrdemo.eu
- Save the settings
Step 2: Create Web Application
- Navigate to Apps & Widgets → Web Apps
- Click "Add Web Apps"
- Click the "Custom" tab
- Click "Add" next to "OpenID Connect"
- Click "Yes" when asked "Do you want to add this application"
- Click "Close"
Step 3: Configure Application Settings
Settings Tab:
- Application ID: Enter a unique identifier (this becomes your
oauthAppName parameter)
Example: OAuth_Demo
- Name: Enter a display name for the application
Example: Export Tool
Step 4: Configure Trust Settings
Trust Tab:
- Client Secret: Enter any random value (PKCE is used, so this isn't important)
- Service Provider Configuration: Select "Login initiated by the relying party (RP)"
- Authorized Redirect URIs: Add the static redirect URI:
https://export.cybrdemo.eu/?callback=true
- Note: Copy the OpenID Connect Client ID (this becomes your
clientId parameter)
Step 5: Enable Refresh Tokens
Tokens Tab:
- Enable "Issue refresh tokens"
Step 6: Configure Scopes
Scopes Tab:
- Click "Add" to create a new scope
- Name: Enter a scope name (this becomes part of your
scope parameter)
Example: all
- Allowed REST APIs: Click "Add" and add these patterns:
/uprest/.*
/Folder/.*
- Save the scope
Step 7: Set Permissions
Permissions Tab:
- Add users or groups who should be able to export their credentials
- Grant appropriate permissions for the export functionality
Step 8: Save Configuration
- Click "Save" at the bottom of the page
- Make note of the configuration values for creating bookmarks
📌 Create User Bookmarks
Once configured, users can access the tool with a bookmark like:
https://export.cybrdemo.eu/?tenantId=abu4343&clientId=5f3437c3-baf0-40e9-a947-e5ed1dbd0dcc&oauthAppName=OAuth_Demo&scope=openid+all
Parameters:
tenantId: Your CyberArk tenant identifierclientId: OpenID Connect Client ID from Step 4oauthAppName: Application ID from Step 3scope: "openid" + your custom scope from Step 6