SecureAuth Arculix & BeyondTrust Password Safe

Arculix by SecureAuth allows BeyondTrust customers to securely enable efficient access to privileged credentials and sessions managed by Password Safe, while providing a flexible and frictionless user experience.

This integration is supported for both Password Safe and Password Safe Cloud.


Configure a SAML Provider in Password Safe

To add Arculix as a SAML provider:

Configure Arculix as a SAML provider in Password Safe.

  1. As an Administrator, navigate to Configuration > SAML Configuration.


  1. To find the Identifier URL, Single Sign-on Service URL, and the Certificate, refer to the Arculix documentation link above.
  2. Configure the Encryption and Signing Configuration to align with the configuration in Arculix.
  3. Import the Identity Provider certificate from Arculix.

Create a group in Password Safe.

  1. Create a local group in Password Safe and assign one or more Managed Account Smart Groups with Read Only permission, and one or more Password Safe roles.
  2. Managed Account Smart Groups are groups of privileged accounts that members of the group can access for credential check-out and/or session check-out.


Configure Arculix SAML (IdP-initiated) Integration

Add Password Safe in Arculix.

  1. Create an application. Use a recognizable name, for example BeyondTrust Password Safe.
  2. Set type to SAML Service Provider.
  3. Check the IdP Initiated box.
  4. From the Name Identifier menu, select Email.
  5. For Issuer or Entity ID, use the generated Entity ID from the SAML configuration in Password Safe, under the Service Provider Settings section.
  6. For ACS URL, use the generated Assertion Consumer Service URL from the SAML configuration in Password Safe, under the Service Provider Settings section.
  7. Include the following assertion attributes:
    • Name: for example,
    • EmailAddress
    • GivenName
    • Surname
    • Group: This needs to correspond to a group name in Password Safe. The group can be Local, Active Directory (DN, UPN, SID), etc. See Password Safe SAML documentation link above for more information on group mapping types.
  8. Download the SAML certificate for your organization.
  9. Assign the new application to a test user.

Test the Logon from the Arculix Portal

Password Safe app in Arculix portal.

After you complete all the steps listed above, click the Password Safe app in the Arculix portal for the test user and leverage single sign-on to authenticate to Password Safe.


Test the logon for the Password Safe user.

The test user should have access to the assigned Smart Groups of Privileged Accounts.


Password Safe user is added to the group after the first logon using Arculix.

After the first authentication, the test user is added as a member to the Password Safe group.


For more information about this integration or to send feedback, please email