Configure SAML 2.0 for Password Safe using Azure AD App

Azure Active Directory (Azure AD), part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against a wide range of cybersecurity attacks.

A BeyondTrust app, available in Azure AD App Gallery, provides Single Sign-On and provisioning via SAML. This app supports Remote Support and public portals, Privileged Remote Access, Password Safe, and Password Safe Cloud.

Install and Configure

Follow the steps below to install and configure this app.

  1. Locate the BeyondTrust SAML app in Microsoft Azure AD Gallery.

BeyondTrust SAML App in the Azure AD Gallery

  1. Change the name to your preferred descriptive name, for example, BeyondTrust SAML – Password Safe. Some screenshots below use BeyondTrust Privileged Remote Access for examples, however the process is the same for Password Safe.

While a single instance of the app can service multiple BeyondTrust products simultaneously, we recommend creating a separate app instance for Password Safe, if you are using that product.

  1. Click Create.
  1. Information about the BeyondTrust SAML app displays when creation is completed.
  2. Click Set up single sign on under Getting Started.

BeyondTrust SAML app installed, with installation details.

  1. Configure Basic SAML Configuration to match your Password Safe instance. The Entity IDs are specific to the instances for each product.

Basic SAML configuration.

  1. Change the Unique Identifier (Name ID) to the Persistent format.

Manage claim - name identifier format

  1. Configure Attributes & Claims sources and values as shown in the table below, then add a group claim as show in the image below:
Source Value
Username user.principalname
FirstName user.givenname
LastName user.surname
Email user.email
Group Claim Group ID

Configure Attributes & Claims sources and values

The group claim must be configured to use only groups assigned to the application, to prevent errors that may occur if a user belongs to more than 150 AD groups. For more information, please see Configure group claims for applications by using Azure Active Directory.

  1. Click Edit on the SAML certificates section.
  2. For Signing Option, select Sign SAML response and assertion.
  3. Download the Federation Metadata XML.