EPM and Beyond Identity
This guide provides details on configuring the OIDC identity provider Beyond Identity with EPM.
The key benefits of an EPM and Beyond Identity integration:
- Implement strong, unphishable, multifactor authentication (MFA) and policy-based access controls to ensure high-trust authentication for end user elevation requests.
- Ensure only devices that meet the company’s security policy have access to application or process elevation.
- Establish identity before privileged actions on an endpoint are allowed, using a frictionless step-up authentication.
- Create a zero-trust PAM architecture, which doesn’t trust the user until they pass a high-assurance authentication and doesn’t trust their device unless it meets security policies.
- Eliminate one-time passwords and the corresponding vulnerabilities associated with elevation requests and approvals.
Beyond Identity can validate a device’s security posture before allowing access to EPM.
Download and Configure Beyond Identity App on Your Device
An instance of Beyond Identity is required to configure the app.
- Download and configure the Beyond Identity app.
Now you can use the Beyond Identity app to authenticate to your instance of Beyond Identity.
- Click Integrations to add EPM as an OIDC client.
Configure Your EPM Instance
You also need to access your EPM instance.
- In EPM, open the Policy Editor.
- Edit a policy and configure Identity Provider (IdP) Authentication.
- Provide the Authority URI, Client ID generated earlier, and Redirect URI.
- In the EPM Policy Editor, configure the message(s) that will use IdP settings.
- Validate that your test endpoint is on the latest policy. In EPM, go to the Computers page and check the policy status on the endpoint.
Test the Configuration
- With a non-admin user account on the managed computer, try to run an installer that requires administrator credentials via the Windows User Account Control message.The attempt is blocked and you are presented with a configurable BeyondTrust message.
By selecting Multifactor Authentication, instead of one-time Response Code, the user is authorized to elevate the installer.
- Authentication is redirected to the browser. If Beyond Identity can find the proper credentials on the computer for the end user and validate endpoint rules, the user is authenticated.
- The installer is elevated for the end user without granting permissions to the end user directly.
Beyond Identity Policy and Rules
Beyond Identity policy and rules can be configured to validate that the end user endpoint or computer meets security corporate policies and standards.
For more information about the Beyond Identity policy and rules, see Risk Policies and Step-Up Authentication.
Send feedback or questions to email@example.com