Add support for new Shared Services platform

[hjbotha-cybr]

Is your feature request related to a problem? Please describe. CyberArk have just released a new platform which changes the way users are managed in Privilege Cloud. It's not possible to log on to the platform with the existing methods.

I've added initial support for the new platform in a fork here which you can use as an example: https://github.com/hjbotha-cybr/psPAS

This adds support for logging on using an OAuth confidential client.

Describe the solution you'd like Support for the new platform! The changes are:

• Authentication process has changed
• There's no user management against Privilege Cloud in the new platform. User management is against Identity instead, and thus is probably out of scope for this library.

Describe alternatives you've considered I tried to see if it was possible to authenticate another way but none of the existing methods seemed feasible.

Additional context Since authentication is now provided by Identity instead of Privilege Cloud handling it itself, authentication is done against a different domain. Therefore I have added an argument - LogonBaseUri. The response we get when authenticating is now a JSON object, like this:

 {
    "access_token": "<~1700 character token>",
    "token_type": "Bearer",
    "expires_in": 900
}

We use it by passing an Authorization header with content:

Bearer <access_token>

[pspete]

Thanks for the suggestion @hjbotha-cybr, an interesting proposition....

psPAS is over 5 years old now; regularly updated, but very much geared toward standard / self-hosted environments. Undecided as of yet on any future direction for psPAS and the wider product portfolio...

Current thinking is, without a SaaS environment available to the project to test & develop module features, there is no option for Shared Services / Privilege Cloud / Identity specific features to be able to be included in the module yet. Identity specifically is more likely a completely separate module/project.

This feature does sound like a valuable addition though, perhaps there are other ways support can be built and maintained?

• Could this be a separate project dedicated to the specific authentication journey?
  • developed/supported/maintained by a project with access to a relevant tenant/service.
  • creates a session which can be used by psPAS for API operations, perhaps imported using Use-PASSession?

Because everyone has to use it before using any other module commands, we get more questions logged and receive more emails about New-PASSession than any other command - For any update to New-PASSession, the project needs to be able to develop/test/fix module code - so keen to hear any ideas on enabling the user journey for users who need it, without a SaaS tenant available, thus no options for replicating behaviour or testing any changes 😄 ...

[hjbotha-cybr]

Hi Pete,

Thus far, this library has been working perfectly with Privilege Cloud as is, so I feel the latter option is viable (creates a session which can be imported using Use-PASSession).

There are a few additional differences apart from authentication. Would you be open to accounting for these in other cmdlets where possible?

For example, the MemberType value in Add Safe Member is now mandatory, so that would need to be added as a parameter in Add-PASSafeMember.

[pspete]

open to it yes of course. will need some thought as to if or how to make parameters like this mandatory for PCloud, but not for Self-Hosted...

[hjbotha-cybr]

I think generally we can do without the distinction and leave it up to the user to add as required. Any alternative might require either a kludge to detect when it's the new platform (like checking the URL), or a change to the psPAS.CyberArk.Vault.Session object. This is further complicated by the fact that there are currently two flavours of Privilege Cloud.

In the meantime I've drafted a short script to create a session object that Use-PASSession can import: https://github.com/hjbotha-cybr/New-CyberarkPlatformSession

I'll let you know about any other changes I become aware of.

Thanks!

[walidhammad]

@hjbotha-cybr thank you that helped me

[nidhinckgithub]

@hjbotha-cybr Thanks a lot. Finally, I can authenticate :)

[pspete]

Added support for this now, see Example 23