Configure OpenID Connect

OpenID Connect authentication is supported with PMC.

You must first set up a PMC instance in your OpenID Connect provider. Steps are provided in the section below.

Request OpenID Connect Access

  • Existing customers: If you are a PM Cloud customer using Azure and you want to switch to OpenID, you must open a ticket with BeyondTrust Technical Support.
  • New customers: If you are a new PM Cloud customer, you can request OpenID access through the BeyondTrust Sales Engineer you are working with.

PMC OpenID Connect Workflow for Existing Customers

Here is the workflow to get up and running with PMC using OpenID Connect authentication.

  • You will receive an email from BeyondTrust after the request is processed.
  • In the email, click the link to open the BeyondTrust OpenID Setup page.
  • Enter the OpenID Connect information: domain, client ID, and client secret. Click Save Setup. The OpenID credentials are saved.
  • The Privilege Management Console login page opens. Click Log In.
  • PMC opens to the Home page.

Add the PM Cloud Application to Azure AD or Okta

PMC supports Azure AD and Okta OpenID Connect providers. The following sections provide a high-level overview on adding the PMC instance to your respective authentication provider. For complete instructions, refer to the provider's documentation.

The migration to OIDC will work when the email address sent from Okta or Azure AD matches for existing users. If email addresses are different or the domain name is not on the list of allowed domains in PM Cloud, then the authentications will fail.

Add PMC Instance to Okta

  1. Start your Okta instance.
  2. Click Create App Integration.
  3. In the Create a new app integration section, select OIDC - OpenID Connect.
  4. Select Web Application as the application type.
  5. In the New Web App Integration section, select Client Credentials for the Grant type.
  6. Add the sign-in and sign-out URIs.
    • Sign-in redirect URI: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signin-oidc
    • Sign-out redirect URI: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc
  1. Select the controller access applicable to your organization, and then click Save.
  2. After you add PMC to Okta, you can get the information you need to set up the OpenID Connect authentication.

  1. Go to the application instance for PM Cloud.
  2. Select General Settings, and then click Edit.
  1. For the OpenID Connect set-up wizard, you need the following information from the Edit page:
    • Domain: Prefix the protocol HTTPS://
    • Client ID
    • Client Secret

Confirm the domain name configured in Okta. This domain name might be different than the domain configured for your email address. For example, the domain managed in Okta might be domain.com but the email address is user@email.com. Both pieces of information are required.

  1. You can now visit the set-up URL and enter the domain, client ID, and client secret information.

Add PMC Instance to Azure AD

  1. Start up Azure AD.
  2. Click App Registrations in the menu.
  3. Click New Registration.
  4. Enter a name.
  5. Select Accounts in this org directory only.
  6. Enter the redirect URI: https://<deployment>-services.pm.beyondtrustcloud.com/oauth/signin-oidc.
  7. Click Register.
  8. After PMC registers, select Authentication in the menu.
  9. Add the following to the Redirect URIs: https://<deployment>-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc.
  10. After you add PMC to Azure AD, you can get the information you need to set up the OpenID Connect authentication. The OpenID Connect set-up wizard requires these values: secret ID, value, client ID, and tenant ID.

  1. Select Certificates & secrets in the menu.
  1. Click New client secret, and copy the secret ID and value. When generating a new secret, you must select an expiry for the secret.
  1. On the app registration Overview page, copy the client ID and the tenant ID.