This article describes how to connect your CyberArk Identity installation to the Expel Workbench.

Step 1: Create a New OAuth App in the Admin portal

The first step is to create a new OAuth Client on the CyberArk Identity Admin Portal.

  1. Log in to your CyberArk Identity tenant.

  2. Navigate to your user name at the top right corner and select Switch to Admin Portal from the list.

  3. Click Skip on the Quickstart screen if it appears.

  4. Click Apps in the Dashboard.

  5. Click Add Web Apps and select the Custom tab on the Add Web Apps popup.

  6. Locate OAuth2 Client in the list and click Add. This creates an OAuth2 Client for use with CyberArk Identity APIs.

  7. Click Yes on the Add Web App popup that appears.

  8. Click Close on the Add Web Apps popup. The app configuration screen appears.

Step 2: Configure the new OAuth 2.0 client

  1. In the app configuration screen, the categories are listed on the left side of the screen.

  2. For each category, type the appropriate data in the fields as follows:

    • Description:

      • Application ID: type a unique name (no spaces) and make a note of it for later use.

      • Application Name: type a descriptive name for the application.

      • Application Description: type a description of the application (optional; not seen by users).

      • Category: the default grouping for the app on the Admin Portal.

    • General Usage:

      • Client ID Type: select Confidential.

      • Issuer: the URL of the server issuing access tokens. Can be left as default.

      • Allow Redirects: specifies the redirects that should be trusted when redirection occurs during the Authorization Code and Implicit flows.

    • Tokens:

      • Token Type: specifies the type of token to issue (JwtRS256 or opaque). JwtRS256 is a JSON Web Token (JWT) composed of Base64-encoded user and claim information. An opaque token contains no information about the user. To obtain user and claim information for an opaque token an introspection URL must be used by passing the token.

      • Auth Methods: specifies the authentication flow(s) for which the specified token type should be issued.

      • Token Lifetime: specifies the duration of the token's lifespan.

      • Issue refresh tokens: when enabled, allows clients to request a refresh token that can be exchanged for a new access token. Not applicable for the Resource Owner flow.

    • Scope:

      • User must confirm authorization request: when enabled, this setting requires that the client open a popup where the user must select and approve the scope(s) to allow for the client.

      • Scope Definitions: allows one or more scopes to be specified for authorization by the client.

    • User Access: specifies the system role(s) that the user—a user represents a confidential client—containing the credentials must be included in, for a client to successfully authorize with those credentials, see Step 4 below for information on creating a user to represent a confidential client.

    • Changelog: lists changes made to the client.

Step 3: Create scopes

Use the following steps to define scopes for an OAuth2 Client:

  1. Navigate to Apps and select the application to set the scope(s) for.

  2. Click Scope.

  3. Under Scope definitions, click Add. The Scope definitions popup appears.

  4. Type a Name for the new scope, and a Description (optional).

  5. Click Add and type this scope: Redrock/*

Step 4: Create a confidential client

To authorize a confidential client (a client that provides a client ID and client secret), you must create a user entity representing the confidential client.

  1. Navigate to Core Services > Users to open the Create CyberArk Identity Directory User screen.

  2. Type the application's client ID into the Login Name field.

  3. Type values into the Email Address and Display Name fields. Confidential clients don't use these values, but they are required to satisfy the required fields of the user form.

  4. Type the application's client secret into the Password and Confirm Password fields.

  5. Navigate to the Status section at the bottom and enable Is OAuth confidential client.

  6. Click Create User. A confidential client who specifies the client ID and secret can now authorize against your CyberArk Identity Tenant.

Step 5: Configure the technology in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your technology with Workbench.


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Log into

  2. Navigate to Settings > Security Devices.

  3. At the top of the page, click Add New Device.

  4. Search for and select CyberArk Identity, then fill in the fields like this:

    • For Name, type CyberArk.

    • For Location, type either Cloud or On-prem.

    • For Application ID, type the Application ID when the Client is created.

    • For Username, type the Client ID.

    • For Password, type the Client Secret.

    • For Server, type the Server URL.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!