Added

• N/A

Updated

• Tests updated for latest module commands
• Applies a general code format update across module functions ensuring consistency.

Fixed

• Add-PASSafeMember & Set-PASSafeMember
  • Resolves issue introduced in previous release where, when adding or setting safe permissions in a loop, the loop could break preventing completion fo the task.
  • Thanks Slasky86!!
• Get-PASDependentAccount
  • Fixes result pagination to ensure all results are returned on command execution.
  • Fixes incorrect filter string being used for request in certain circumstances.
• Set-PASPTASMTP
  • Fixes validation logic when specifying parameter values from the pipeline
• Get-PASAccount
  • Ensures dynamic parameters are only presented for Self-Hosted users.
  • Thanks JP-Consulting!!!
• Get-PASAccountSearchProperty
  • Enforces command to only be able to be run against self-hosted solutions.
• Get-PASPTASecurityConfigurationCategory
  • Fixes issue where URI for request may not be set on command execution.

7.0.209

Special shout out to JP-Consulting for the help on this release

Update includes almost all updates for the 14.2, 14.4 & 14.6 CyberArk Self-Hosted Releases

Added

• Enable-PASTheme
  • New 14.6 command to activate a custom UI theme
  • Thanks JP-Consulting!!!
• Remove-PASTheme
  • New 14.6 command to delete a custom UI theme
  • Thanks JP-Consulting!!!
• Import-PASThemeImage
  • New 14.6 command to import an image to use in a custom UI theme
• Export-PASThemeImage
  • New 14.6 command to export an image used in a custom UI theme
• Reset-PASTheme
  • New 14.6 command to reset the UI theme to default
• Publish-PASTheme
  • New 14.6 command to change the draft status of a custom UI theme
• Get-PASTheme
  • New 14.6 command to return details of custom UI themes
• New-PASTheme
  • New 14.6 command to create a new custom UI theme
• Set-PASTheme
  • New 14.6 command to update a custom UI theme
• Get-PASStoredPlatform
  • New 14.6 command to get details of platforms stored in memory for import
• Remove-PASStoredPlatform
  • New 14.6 command to delete a stored platform from memory
• Get-PASUserLicenseReport
  • Returns information about usage of Privilege Cloud user licenses
• Get-PASReport
  • New 14.6 command to list reports available to your user
• Get-PASReportSchedule
  • New 14.6 command to list report schedules
• New-PASReportSchedule
  • New 14.6 command to create a scheduled report
• Export-PASReport
  • New 14.6 command to export an available report
• Remove-PASUserAllowedAuthenticationMethod
  • New 14.4 command to remove allowed authentication methods from multiple users in a single request
• Add-PASUserAllowedAuthenticationMethod
  • New 14.4 command to add allowed authentication methods to multiple users in a single request
• Remove-PASFIDO2Device
  • New 14.6 command to remove a configured FIDO2 device from a user
  • Thanks JP-Consulting!!!
• Get-PASMasterPolicy
  • New 14.6 command to list Master Policy settings
• Set-PASMasterPolicy
  • New 14.6 command to update Master Policy settings
• Remove-PASDependentAccount
  • New 14.6 command to delete dependent accounts
• Resume-PASDependentAccount
  • New 14.6 command to resume password management of dependent accounts
  • Thanks JP-Consulting!!!
• Get-PASDependentAccount
  • New 14.6 command to list details of dependent accounts
• Sync-PASDependentAccount
  • New 14.6 command to synchronise the password of a dependent account with its master account
  • Thanks JP-Consulting!!!
• Set-PASDependentAccount
  • New 14.6 command to update a dependent account
• Add-PASDependentAccount
  • New 14.6 command to add a new dependent account
• Remove-PASPTASecurityConfigurationProperty
  • New 14.6 command to delete PTA security configuration properties
  • Thanks JP-Consulting!!!
• Reset-PASPTASecurityConfigurationProperty
  • New 14.6 command to reset PTA security configuration properties
  • Thanks JP-Consulting!!!
• Reset-PASPTASecurityConfigurationCategory
  • New 14.6 command to reset PTA security configuration categories
  • Thanks JP-Consulting!!!
• Get-PASPTASecurityConfigurationCategory
  • New 14.6 command to return PTA security configuration categories
  • Thanks JP-Consulting!!!
• Add-PASPTASyslog
  • New 14.6 command to add a new syslog configuration to PTA
  • Thanks JP-Consulting!!!
• Remove-PASPTASyslog
  • New 14.6 command to remove a syslog configuration from PTA
  • Thanks JP-Consulting!!!
• Set-PASPTASMTP
  • New 14.4 command to add a new SMTP configuration to PTA
  • Thanks JP-Consulting!!!
• Get-PASAccountSearchProperty
  • New 14.6 command to list configured search properties

Updated

• Add-PASSafeMember
  • Updated to include permission pre-sets to match functionality available via PVWA
  • Thanks Slasky86!!
• Set-PASSafeMember
  • Updated to include permission pre-sets to match functionality available via PVWA
  • Thanks Slasky86!!
• Get-PASAccount
  • Updated to handle new quoting model for filter operations in version 14.6
  • Adds dynamic search properties to the filter parameters list
  • Thanks JP-Consulting!!!
• Add-PASAccount
  • Added AllowAccountDuplications parameter, which works in conjunction with the 14.6 AccountDuplicationEnforcementLevel setting
• Import-PASPlatform
  • New parameter sets added to support updating existing platforms and side-by-side imports
• New-PASDirectoryMapping, Set-PASDirectoryMapping
  • Added the allowedAuthenticationMethods parameter
  • Thanks JP-Consulting!!!
• New-PASUser, Set-PASUser
  • Added the allowedAuthenticationMethods parameter
  • Thanks JP-Consulting!!!
• Get-PASComponentSummary
  • Now includes vault replication data in command output
  • Thanks JP-Consulting!!!
• Approve-PASRequest
  • Adds support for bulk approvals using a single request
• Deny-PASRequest
  • Adds support for bulk rejections using a single request
• New-PASAccountPassword
  • Updated to include additional error checking
• New-PASAccountObject
  • Updated to create formatted objects for Dependent Account operations
• Get-PASSafe
  • Fixed issue with incorrectly defined sort parameter
  • Adds sortDirection parameter to enable ascending or descending sort of safes by SafeName or Managing CPM
• Script Methods
  • ToCredential()
    • Available on password objects
    • Allows password values returned from the API to be converted to Credential objects
  • GetPermissions()
    • Available on Safe Member objects
    • Enables conversion of safe ACL to hashtable which can be used to splat against Add-PASSafeMember & Set-PASSafeMember
  • ToHashtable()
    • Available on Account objects.
    • Converts an Account object to a hashtable so that it can be splatted against Add-PASAccount
• Various corrections to help file contents

Fixed

• Get-PASSAMLResponse
  • Fixes a responsibly disclosed security vulnerability where TLS 1.2 was not enforced when a value for the SAMLResponse parameter was not provided to the New-PASSession command when using the Gen2SAML ParameterSet.
  • Much Respect to Cristian Gaber for highlighting this to us.
• Get-PASAccountPassword
  • Fixes a parsing issue that could affect password values returned from the command.
  • Thanks ChristopherRanney!!
• Add-PASPublicSSHKey, Get-PASPublicSSHKey, Remove-PASPublicSSHKey
  • Corrects the URLs used by the commands
  • Thanks JP-Consulting!!!

Added

• N/A

Updated

• N/A

Fixed

• Set-PASUser
  • Adds logic to not attempt conversion to unix time if expiry date is not a valid datetime object, this resolves an issue where an error was raised when updating an account with an existing value for the expirydate property
  • Adds logic to not apply time zone offset when specifying Unix epoch time to remove an expiry date from an account which could previously result in an invalid time value in non-GMT time zones.

6.4.80

Includes a general update across multiple module commands to ensure commands which are specific to self-hosted implementations are not able to be run against Privilege Cloud, and any commands which are specific to Privilege Cloud are not able to be run against a Self-Hosted solution.

Added

• Get-PASIPAllowList
  • Privilege Cloud only command to show IP Allow List
• Set-PASIPAllowList
  • Privilege Cloud only command to set IP Allow List
• Get-PASBYOKConfig
  • Privilege Cloud only command to show BYOK Config
• Publish-PASDiscoveredLocalAccount
  • Privilege Cloud only command to publish discovered local account
• Get-PASDiscoveredLocalAccountActivity
  • Privilege Cloud only command to show discovered local account activity
• Get-PASDiscoveredLocalAccount
  • Privilege Cloud only command to show local discovered account details
• Clear-PASDiscoveredLocalAccount
  • Privilege Cloud only command to delete all discovered local accounts from the Pending Accounts list.
• Add-PASDiscoveredLocalAccount
  • Privilege Cloud only command to add a specific local account to the Discovered Accounts list
• Remove-PASDiscoveredLocalAccount
  • Privilege Cloud only command to remove a local account from the Discovered Accounts list

Updated

• Invoke-PASRestMethod
  • Improvements to error handling

Fixed

• Get-PASPSMRecording
  • Fixes result paging issue
• Get-PASPSMSession
  • Fixes result paging issue

Added

• N/A

Updated

• Get-PASPSMRecording
  • In-line with PVWA default operation:
    • Changed the default limit for each page of results to 100, in-line with PVWA default values
    • Updated to return recordings from the last 48 hours by default when FromTime & ToTime parameters are not specified.
  • When specifying ToTime without FromTime, recordings from the 48 hours before ToTime are returned.
    • This avoids potential for unintentionally long running queries which return details of many recording from the vault.
• Set-PASUser
  • Updated to query for, and send, any existing user properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the user object.
    • This update allows single properties to be updated without having to specify all properties.
  • Allows Empty argument for unAuthorizedInterfaces & vaultAuthorization parameters to enable set values to be cleared.
  • Corrects ValidateSet for unAuthorizedInterfaces parameter.
• Set-PASSafe
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
• Set-PASOpenIDConnectProvider
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
    • Number of mandatory parameters required to be specified has been reduced
• Set-PASPTARule
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
    • Number of mandatory parameters required to be specified has been reduced
• Set-PASDirectoryMapping
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
    • Number of mandatory parameters required to be specified has been reduced
• New-PASOnboardingRule
  • Reordered parameters to simplify tab completion options
• Set-PASOnboardingRule
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
    • Number of mandatory parameters required to be specified has been reduced
• Set-PASPlatformPSMConfig
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
    • Number of mandatory parameters required to be specified has been reduced
• Set-PASSafeMember
  • Updated to query for, and send, any existing properties, which are not being specifically updated, with the request.
    • Previously, due to the PUT operation used by the API, any properties not specified in a request would be cleared on the object.
    • This update allows single properties to be updated without having to specify all properties.
• New-PASUser
  • In-line with update to Set-PASUser
    • Allows Empty argument for unAuthorizedInterfaces & vaultAuthorization parameters.
    • Corrects ValidateSet for unAuthorizedInterfaces parameter.
• Get-PASComponentDetail
  • Adds assertion that command specifying PTA component must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Add-PASAccountACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Get-PASAccountACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Remove-PASAccountACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Invoke-PASCPMOperation
  • Adds assertion that Gen1 verify task must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Set-PASAccount
  • Adds assertion that Gen1 task must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Close-PASSession
  • Adds assertion that Shared Authentication logoff request is executed against a self hosted implementation as invocation against privilege cloud is not supported.
• New-PASSession
  • Adds assertion that Shared Authentication logon request is executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Add-PASPolicyACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Get-PASPolicyACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Remove-PASPolicyACL
  • Adds assertion that command must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Remove-PASSafeMember
  • Adds assertion that command using Gen1 parameters must be executed against a self hosted implementation as invocation against privilege cloud is not supported.
• Assert-VersionRequirement
  • Updates helper function to provide ability to assert if command is being run against self-hosted or privilege cloud implementation.

Fixed

• N/A

Introducing enhancements to psPAS session related data.

Using the Get-PASSession command, users of the module can now get data on session start time, elapsed time since authentication as well as details of the last command run, the raw results returned from the api, as well as any detail of the last error which may have been received during the session.

This update makes troubleshooting API commands and expected results much easier from both an end user and module support perspective.

PS> Get-PASSession

Name                           Value
----                           -----
BaseURI                        https://sometenant.privilegecloud.cyberark.cloud/PasswordVault
User                           someuser@cyberark.cloud.1312
ExternalVersion                14.0.0
WebSession                     Microsoft.PowerShell.Commands.WebRequestSession
StartTime                      20/02/2024 18:14:01
ElapsedTime                    00:04:03
LastCommand                    System.Management.Automation.InvocationInfo
LastCommandTime                20/02/2024 18:18:03
LastCommandResults             {"Users":[{"id":26,"username":"someuser@somedomain.com","source":"CyberArk","userType":"SomeType",...
LastError                      {"ErrorCode":"PASWS041E","ErrorMessage":"You are not authorized to perform this action."}
LastErrorTime                  20/02/2024 18:13:12

To realise this update, lots of module wide changes to all module commands have been required; while no change to the general operation of the psPAS module should be noticed - do raise an issue if something does not appear correct.

Added

• N/A

Updated

• Get-PASSession
  • makes additional information available to users running the command
    • authentication time
    • session length
    • last command and result data
    • last error details
• New-PASPSMSession
  • RDP and PSMGW connections will be automatically opened when issuing connection request.
• New-PASSession
  • Adds logic around getting the logged on user name for either self-hosted or privilege cloud deployments
• PSM Session Data Formats
  • Adds Start & End to standard table view output
  • Formats Start & End as standard datetime instead of unixtime.

Fixed

• Add-PASGroupMember,Remove-PASGroup,Set-PASGroup
  • Standardises name of ID parameter.
  • Adds GroupID alias to ID parameter.

Added

• N/A

Updated

• Get-PASPSMRecording
  • Removes Offset Parameter
  • Updates FromTime & ToTime parameters to [datetime] types
  • Returns all pages of results instead of only the first page of results
• Get-PASPSMSession
  • Removes Offset Parameter
  • Updates FromTime & ToTime parameters to [datetime] types
  • Returns all pages of results instead of only the first page of results
• Get-PASAccount
  • Removes Offset Parameter
• Get-PASDiscoveredAccount
  • Removes Offset Parameter

Fixed

• Get-PASSession
  • Removes UserName from command output, avoiding error condition on expired session.
• Get-PASPlatform
  • Adds search parameter to the default targets parameterset
• ISPSS Error Handling
  • Fixes issue where error returned from ISPSS solution may not be handled properly

6.1.50

Module update to cover all CyberArk 14.0 API features

Added

• New commands supported from 14.0:
  • Add-PASPTAExcludedTarget
  • Add-PASPTAIncludedTarget
  • Add-PASPTAPrivilegedGroup
  • Add-PASPTAPrivilegedUser
  • Get-PASPTAExcludedTarget
  • Get-PASPTAIncludedTarget
  • Get-PASPTAPrivilegedGroup
  • Get-PASPTAPrivilegedUser
  • Remove-PASPTAExcludedTarget
  • Remove-PASPTAIncludedTarget
  • Remove-PASPTAPrivilegedGroup
  • Remove-PASPTAPrivilegedUser
• Get-PASLinkedGroup
  • New experimental command based on undocumented API.

Updated

• Get-PASAccountActivity
  • Adds Gen2 replacement for deprecated Gen1 API.
  • Updates default operation to target Gen2 API.
• Get-PASPTARiskEvent
  • New filter parameters FromTime & ToTime
  • Fixes output and result paging
• Set-PASPTARiskEvent
  • New parameters closeReason & reasonText
  • General Fixes
• New-PASDirectoryMapping
  • New parameters UsedQuota, AuthorizedInterfaces & EnableENEWhenDisconnected
• Set-PASDirectoryMapping
  • New parameters UsedQuota, AuthorizedInterfaces & EnableENEWhenDisconnected

Fixed

• Invoke-PASRestMethod
  • Avoids potential error condition when handling errors in ISPSS environments

Added

• N/A

### Updated

• Add-PASPTARule & Set-PASPTARule
  • Adds scope parameters vaultUsersMode, vaultUsersList, machinesMode & machinesList
  • Includes scope property in output by default

### Fixed

• Add-PASApplication
  • Updates date format of ExpirationDate to MM/dd/yyyy. Resolves issue observed when sending date format of MM-dd-yyyy
• Set-PASPTAEvent & Set-PASPTARiskEvent
  • Fixes issue where websession object and auth header were not being sent with the request

6.0.21

Added

• N/A

### Updated

• N/A

### Fixed

• Debug Trace Output
  • Resolves condition where authentication password value might be revealed in debug trace output in a scenario where Set-PSDebug -Trace 2 is active in the console host.

6.0.18

Added

• N/A

Changed

• Set-PASSafe
  • Allows 0 as valid value for parameter NumberOfDaysRetention
• Get-PASServerWebService
  • Deprecates Gen1 endpoint from 13.2. Adds Gen2 endpoint as default.
• Get-PASSafeShareLogo
  • Deprecates command from 13.2.
• Invoke-PASCPMOperation
  • Deprecates Gen1 endpoint from 13.2.
• Get-PASAccountActivity
  • Deprecates command from 13.2.
• Add-PASPendingAccount
  • Deprecates command from 13.2.

Fixed

• Get-PASAccount
  • Resolves issue where, if number of results of a SavedFilter are greater than the page size (either default or set via the limit parameter), only the URL of the first request sent would include the SavedFilter value.

6.0.4

• Updated
  • Add-PASSafeMember
    • Adds ‘Role’ to acceptable values in ParameterSet for memberType parameter

6.0.0

• Update & Breaking Change
  • New-PASSession
    • All Privilege Cloud Shared Services Authentication via the CyberArk Identity Platform now depends on the pspete IdentityCommand module.
    • Adds Identity User Authentication, using the IdentityCommand module to satisfy Identity MFA challenges and obtain required authentication token to use against Privileged Cloud Shared Services.
    • Adds logic to determine correct Identity tenant URL based on provided Privileged Cloud Subdomain value.
    • Both Privileged Cloud API URL & Identity Portal URL are required to be specified if subdomain value is not provided.
    • Service User authentication for Shared Services introduced in recent previous versions requires installation of IdentityCommand module and specification of additional attribute.
    • See the docs & New-PASSession for full details.

Module update to cover all CyberArk 13.2 API features

• New
  • Get-PASUserTypeInfo
    • Output information on User Types
  • Get-PASPTARiskEvent
    • Output PTA Risk Events
  • Set-PASPTARiskEvent
    • Update PTA Risk Events
  • Get-PASPTARiskSummary
    • Output PTA Risk Summary
  • New-PASRequestObject
    • Enables creation of request objects for bulk account access requests using New-PASRequest.
• Updates
  • New-PASSession
    • Adds option for PKIPN authentication.
      • Thanks (JesseMcWilliamss)!
    • Adds options to Shared Services Authentication capability
      • Supports different subdomains for Identity & Privilege Cloud tenants
      • Supports ability to provide tenant URLs for Identity & Privilege Cloud systems.
  • Unlock-PASAccount
    • Adds Unlock capability, in addition to the existing check-in capability.
      • Thanks & Credit to (Qrelis) for this!
  • Get-PASUser
    • Adds source parameter (allows filter by cyberark or ldap source).
    • Adds userStatus parameter (allows filter by active, disabled, or suspended status).
  • New-PASUser & Set-PASUser
    • Adds parameters userActivityLogRetentionDays, loginFromHour & loginToHour
  • New-PASRequest
    • Adds new ParameterSets BulkSearch, BulkFilter & BulkItems.
  • Get-PASRequest
    • Adds id parameter to support get status bulk request actions.
• Other

Module update to cover all CyberArk 13.0 API features

• New
  • Adds Get-PASPTAGlobalCatalog & Add-PASPTAGlobalCatalog commands, available for v13.
• Updates
  • New-PASSession
    • Adds Shared Services Auth Support
    • Allows null or empty OTPDelimiter to be specified
  • Set-PASPTARule
    • Updates validation for parameter id
  • Get-PASComponentDetail
    • Adds pta as option for parameter component
  • Add-PASSafe
    • Allows 0 as valid value for parameter NumberOfDaysRetention
  • Add-PASSafeMember
    • Adds optional memberType parameter, accepted from 12.6 onward.
• Other
  • Allow UPN UserName format
    • Updates the parameter validation logic of the *-PASPublicSSHKey functions to allow UPN style usernames to be specified and accepted.
  • Updates psPAS.CyberArk.Vault.OnboardingRule format in line with expected output according to product documentation.
  • Documentation update
    • Correct version requirement information for the Get-PASAccount searchType parameter.

• Breaking Changes
  • Get-PASAccount
    • Removes Gen2Filter ParameterSet.
    • Equivalent functionality remains available via other available parameters.
  • Get-PASGroup
    • Removes filter ParameterSet.
    • Equivalent functionality remains available via other available parameters.
• New Commands
  • Publish-PASDiscoveredAccount
    • Feature Request: Onboards a discovered account.
    • Based on swagger documentation
  • Get-PASLinkedAccount
    • Gets details of linked accounts
  • Add-PASPersonalAdminAccount
    • Specific for Adding Personal Admin Accounts in Privilege Cloud.
    • Based on swagger documentation
• Other Updates
  • New-PASSession
    • Feature Request: Adds support for PKI Authentication.
  • Get-PASAccount
    • Adds limit & offset parameters.
  • Get-PASSafe
    • Corrects ambiguous invocation options (Gen1).
  • Documentation
    • General updates throughout.

5.4.101 (November 20th 2022)

• Fix Get-PASSafeMember
  • Corrects format of URL value when returning many safe members
    • Thanks InconstantRO!
• Documentation
  • Additional example added to Get-PASAccount help file
    • Thanks rorobig!

What makes the New-PASSession command so important?

Each and every time any psPAS user needs to use the module to access the API of their CyberArk solution, New-PASSession is the first command they will run, making it by far the most crucial code in the whole module, as well being as one of the most viewed commands in the module documentation, and on the psPAS GitHub repo.

As the aim is for New-PASSession to be compatible with all supported API authentication methods, it is also one of the most complex functions in the entire module.

If you want an understanding of what is going on behind the scenes of the command, this is the right place.

New-PASSession Internals

The invocation flow of New-PASSession to API authentication looks like this (as does any standard psPAS code flow):

Here, you can see the various abstraction layers that psPAS employs to execute the authentication request with the API, convert the API response into a PowerShell object, and then return the authentication request’s result.

• New-PASSession
  • The front-end command for all API authentication methods supported by psPAS.
  • Formats the API URL into the correct format for this and future request.
    • The URL value provided to New-PASSession is used for any other psPAS commands issued in a session.
  • Constructs the overall request, setting required values for the chosen authentication type.
  • Issues requests to the API, or other functions to complete authentication requirements for the chosen method.
  • Extracts the Authorization token value from the LogonResult returned from the API.
  • Sets Script/Module Scope Variables for use by all other module commands:
    • BaseURI.
    • WebSession ‘Authorization’ header.
    • API Version.
• Invoke-PASRestMethod
  • Receives all psPAS function requests for the API, including New-PASSession requests.
  • Enforces module defaults, such as the expected ContentType & use of TLS 1.2.
  • Catches and throws any errors that Invoke-WebRequest produces.
  • Assigns the SessionVariable WebSession object to a script/module scope variable, this is particularly pertinent to New-PASSession.
• Invoke-WebRequest
  • Is responsible for receiving requests from Invoke-PASRestMethod and sending them to the API.
  • The Invoke-WebRequest cmdlet, included in PowerShell since version 3, sends HTTP and HTTPS requests to a web page or web service.
  • You can read all about it in the Microsoft Docs.
• Get-PASResponse
  • Receives and returns the Content property of the API response sent from Invoke-PASRestMethod
  • Returns data based on the Content-Type of the received content.
• ConvertFrom-Json
  • Creates a custom object from a JSON-formatted string.
  • You can read all about it in the Microsoft Docs
  • application/json content is expected for most API responses, psPAS converts this into a custom object before returning the data.

If everything goes according to plan, we will have a login token from the API at the end of the procedure.

In addition to saving the API URL and API version information, New-PASSession also conveniently stores the login token as a header value in a WebSession object variable in the script scope of the module.

As all of these values are saved in the module’s script scope, they are now available to, and able to be referenced by, all other module functions without the values being exposed to, or provided by, module users for ongoing module operations.

All user facing commands in the module which send requests to the API use the variables set in the script scope to authenticate and direct responses to the API. They also follow the same internal pattern seen in New-PASSession, with the API response passing through the internal functions until any response is returned as a PowerShell object to the context of the originating command.

RADIUS Authentication Flow

The following diagram provides a higher-level overview of the module’s RADIUS authentication flow:

We use Invoke-PASRestMethod as a wrapper around the Invoke-WebRequest PowerShell CmdLet so that we can catch any errors that might arise while using the API.

If additional authentication steps are needed to access the API using RADIUS authentication after the initial authentication, these are identified as exceptions with the specific Error ID of ITATS542I.

When New-PASSession encounters an ITATS542I exception, we know a RADIUS Challenge is contained within it.

RADIUS Challenge responses are sent using the internal Send-RADIUSResponse function.

Any required OTP is provided, or prompted for, and is then sent back to the server issuing the challenge.

Send-RADIUSResponse will continue to handle additional ITATS542I exceptions for additional necessary challenges up until user responses are satisfactory for the authentication attempt or a challenge fails.

The API responds with a Logon Result containing the necessary authentication token upon successful completion of all challenges.

IIS + Vault Primary/Secondary Authentication

Some authentication methods utilise IIS configurations as well as Vault authentication in conjunction with each other.

This necessitates that users must first successfully authenticate against any IIS authentication requirements in addition to the vault authentication. A few examples are:

• Windows Authentication using the default credentials for the PowerShell session.
• PKI Authentication and a certificate supplied by the user.

In each case, the required authentication factors are passed to Invoke-WebRequest, allowing IIS authentication to take place before any subsequent attempt to authenticate to the vault.

This flow is shown below:

Any supplied certificate information or credential values will be stored as a reference in the script scope WebSession object that the module uses for subsequent operations, ensuring that any ongoing IIS authentication requirements are met after the first API authentication , and when other module commands are executed.

SAML Authentication

SAML authentication requires a SAMLResponse value from your IDP to be passed to the API.

When you supply a SAMLResponse value to New-PASSession, the API receives it and returns the necessary API authorization token after successfully accepting and validating the SAML token.

This SAMLResponse value must be obtained directly from your IDP and provided to New-PASSession. As an alternative, psPAS might be able to obtain the SAMLResponse value if you’re using an IDP that supports Integrated Windows Authentication SSO (like ADFS) and your environment is set up to support this authentication flow.

We can see in the SAML authentication flow diagram that if no SAMLResponse value is provided, psPAS will invoke an internal function called Get-PASSAMLResponse which will attempt to obtain the SAMLResponse value.

Get-PASSAMLResponse obtains the IDP SSO URL from PVWA, and provides the default credentials of the PowerShell Session to the IDP, following a number of web redirects until receiving the required SAMLResponse. Many factors and configurations may influence the success of this command, and a SAMLResponse will not be able to be obtained from all IDPs.

There are many SAML IDPs which may be in use, far too many to incorporate all available options into psPAS individually. While there are no plans to add capability into psPAS to get a SAMLResponse from any other IDPs out in the wild, if you have a method to obtain a SAMLResponse from a particular IDP, consider sharing it - this is a topic we get contacted about regularly; while we’d love to be able to provide answers for all SAML authentication platforms, it is beyond the scope of the core capabilities of the module’s intended purpose.

This is where the power of the CyberArk & PowerShell communities comes into play… Allyn Lyndsay, a fellow CyberArk Guardian, has created a significantly handy tool to interactively authenticate to your SAML IDP, and return the SAMLResponse for use in other calls, like New-PASSession.

Find the tool and see it in action on GitHub here: PS-SAML-Interactive

Summary

Now you understand how New-PASSession functions, and leverages various psPAS internals to successfully authenticate against the API!

Did we forget anything?

Let us know if there is any further information you would want to see or if you have any questions that have not been answered.