Configure Okta SAML Authentication for BeyondInsight and Password Safe

Configuring BeyondInsight and Password Safe to use Okta SAML authentication involves configuring the SAML application with BeyondInsight SAML information in the Okta admin portal and then configuring the SAML identity provider settings for Okta in the BeyondInsight console. The configuration for each of these is detailed the below sections.

Configure SAML Application in Okta

To configure a new SAML application for BeyondInsight and Password Safe in Okta, follow the below steps.

1. Log in to the Okta admin portal.

   

2. Click Add Application.

 

3. Click Create New App.
4. Select SAML 2.0 as the sign-in method.

 

5. Click Create.

 

6. Enter the application name, and then click Next.
7. Enter the single sign on URL:

   https://ServerURL/eEye.RetinaCSSAML/saml/
   AssertionConsumerService.aspx

8. Check the Use this for Recipient and Destination URL box.
9. Enter the audience URI (SP entity ID):

   https://<ServerURL>/eEye.RetinaCSSAML

 

10. From the Application username list, select Okta username.

 

SLO Optional Setting

11. Click Show Advanced Settings.
12. Select Enable Single Logout.
13. Fill in the Single Logout URL:

    H​TTPS://<FQDN>/eEye.RetinaCSSAML/SAML/SLOService.aspx

14. Fill in the SP Issuer: HTTPS://<FQDN>/eEye.Re​tinaCSSAML/.
15. Select the SP Public Certificate.cer certificate.
16. Click Upload Certificate.

Configure Attributes

17. Add attributes, and then click Next.
    • Name: (required)
    • Email: (optional)
    • GivenName: (optional)
    • Surname: (optional)
    • Group: (required) - Set as a literal. This must match the group created in BeyondInsight or imported from AD. If an AD group is used, it must match the BI format Domain\GroupName.

 

18. Select appropriate settings for Okta support, and then click Finish.

 

Find IdP Information

19. Click View Setup Instructions.

 

20. Copy the Identity Provider Single Sign-On URL. Save the value to be used in the next step.
21. Copy the Identity Provider Issuer. Save the value to be used in the next step.
22. Click Download certificate.

 

Configure SAML Identity Provider in BeyondInsight

To configure a new SAML identiy provider for Okta in BeyondInsight, follow the below steps.

1. Navigate to Configuration > Authentication Management > SAML Configuration.
2. From the SAML Identity Providers pane, click Create New SAML Identity Provider.

3. Provide a name for the new SAML identity provider (IdP).
4. Complete the Identity Provider Settings as follows:
   • Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins. This is useful in the case where a user accesses the SAML site access URL without providing an IdP. Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP's site for authentication.
   • Identifier: Enter the Okta value Identity Provider Issuer.
   • Single Sign-on Service URL: Enter the Okta value Identity Provider Single Sign-On URL.
   • SSO URL Protocol Binding: Select HTTP Post as the type.
   • Single Logout Service URL: Enter the Okta value Identity Provider Single Logout URL.
   • SLO URL Protocol Binding: Select HTTP Post as the type.
   • Encryption and Signing Configuration: Check applicable boxes to enable options, based on your Okta settings. A typical configuration is shown; however, depending on your Okta settings, some configuration selections may be different.
   • Signature Method: Select the method, as is required by Okta.
   • Current Identity Provider Certificate: Upload the Okta X.509 certificate.
   • User Mapping: Select the type of user account from the dropdown. This indicates how user claims from the SAML provider are mapped in the BeyondInsight User database.
     • None: This is the legacy type of mapping, which is not based on type of user.
     • Local: Select this option for local user account claims. BeyondInsight maps the user and group name.
     • Microsoft Entra ID: Select this option for Entra ID user account claims. When selected, BeyondInsight maps the ObjectID attribute to the AppUser and UserGroup attributes for the user.
     • Active Directory: Select this option for Active Directory user account claims. If the claims are configured to pass the SID of the user and group, BeyondInsight maps the SID for the user and group, which is preferred over mapping domain name and group name attributes.
5. The following Service Provider Settings are auto-generated by BeyondInsight:
   • Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction.
   • Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
6. Click Create SAML Identity Provider.

 

Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.

Disable Forms Login

In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight.

To disable forms login for existing users, enable this option directly on a user account as follows:

1. Click the vertical ellipsis for the user account, and then click Edit User Details.

2. Under Authentication Options, check Disable Forms Login to enable the option.

Please contact BeyondTrust Support for assistance if you need to bulk-apply this setting to existing accounts.

 

To disable forms login globally for newly created directory accounts:

1. Navigate to Configuration > Authentication Management > Authentication Options.

2. Under Forms Login Options, check the Disable Forms Login for new directory accounts option to enable it.