Security Providers: Enable LDAP, RADIUS, Kerberos, SCIM, and SAML2 Logins

Users & Security

Security Providers

Security Providers

You can configure your BeyondTrust Appliance B Series to authenticate users against existing LDAP, RADIUS, SCIM, SAML2, or Kerberos servers, as well as to assign privileges based on the preexisting hierarchy and group settings already specified in your servers. Kerberos enables single sign-on, while RSA and other two factor authentication mechanisms via RADIUS provide an additional level of security.

Add Provider

From the Add dropdown, select LDAP, RADIUS, Kerberos, SCIM, or SAML2 to add a new security provider configuration.

Change Order

Click this button to drag and drop security providers to set their priority. You can drag and drop servers within a cluster; clusters can be dragged and dropped as a whole. Click Save Order for prioritization changes to take effect.

Disable

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

Sync

Synchronize the users and groups associated with an external security provider. Synchronization occurs automatically once a day. Clicking this button forces a manual synchronization.

View Log

View the status history for a security provider connection.

Duplicate Node

Create a copy of an existing clustered security provider configuration. This will be added as a new node in the same cluster.

Upgrade to a Cluster

Upgrade a security provider to a security provider cluster. To add more security providers to this cluster copy an existing node.

Copy

Create a copy of an existing security provider configuration. This will be added as a top-level security provider and not as part of a cluster.

Edit, Delete

Modify an exiting object or remove an existing object.

If you edit the local security provider and select a default policy that does not have administrator permissions, a warning message appears. Ensure other users have administrator permissions before proceeding.

Edit Security Provider - LDAP

Name

Create a unique name to help identify this provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

User Authentication

Choose if this provider should be used for user authentication. If deselected, options specific to user authentication are disabled.

User Provision

By default, user provisioning occurs on this provider. If you have a SCIM provider set up, you can choose to provision users through that provider instead. If this provider is not used for user authentication, then Do not provision users is selected.

This setting cannot be modified after this security provider is first saved.

Keep user information synchronized with the LDAP server

Checking this option keeps a user's display name set to the name designated on the security provider rather than allowing the display name to be modified in BeyondTrust.

Authorization Settings

Synchronization: Enable LDAP object cache

If checked, LDAP objects visible to the B Series Appliance are cached and synchronized nightly, or manually, if desired. When using this option, fewer connections are made to the LDAP server for administrative purposes thereby potentially increasing speed and efficiency.

If unchecked, changes to the LDAP server are immediately available without the need to synchronize. However, when you make changes on user policies through the administrative interface, several short-lived LDAP connections may occur as necessary.

For providers that have previously had the synchronization setting enabled, disabling or unchecking the synchronization option will cause all cached records that are currently not in use to be deleted.

Lookup Groups

Choose to use this security provider only for user authentication, only for group lookups, or for both. If the User Authentication option above is not checked, then Lookup groups using this provider is selected. The option to look up groups using a different provider is available only if another provider capable of group lookup has already been created.

Default Group Policy (Visible Only if User Authentication is Allowed)

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Connection Settings

Hostname

Enter the hostname of the server that houses your external directory store.

If you will be using LDAPS or LDAP with TLS, the hostname must match the hostname used in your LDAP server's public SSL certificate's subject name or the DNS component of its alternate subject name.

Port

Specify the port for your LDAP server. This is typically port 389 for LDAP or port 636 for LDAPS. BeyondTrust also supports global catalog over port 3268 for LDAP or 3269 for LDAPS.

Encryption

Select the type of encryption to use when communicating with the LDAP server. For security purposes, LDAPS or LDAP with TLS is recommended.

Regular LDAP sends and receives data in clear text from the LDAP server, potentially exposing sensitive user account information to packet sniffing. Both LDAPS and LDAP with TLS encrypt user data as it is transferred, making these methods recommended over regular LDAP. LDAP with TLS uses the StartTLS function to initiate a connection over clear text LDAP but then elevates this to an encrypted connection. LDAPS initiates the connection over an encrypted connection without sending any data in clear text whatsoever.

If you select LDAPS or LDAP with TLS, you must upload the Root SSL Certificate used by your LDAP server. This is necessary to ensure the validity of the server and the security of the data. The Root Certificate must be in PEM format.

If the LDAP server's public SSL certificate's subject name, or the DNS component of its alternate subject name, does not match the value in the Hostname field, the provider will be treated as unreachable. You can, however, use a wildcard certificate to certify multiple subdomains of the same site. For example, a certificate for *.example.com would certify both access.example.com and remote.example.com.

Bind Credentials

Specify a username and password with which your B Series Appliance can bind to and search the LDAP directory store.

If your server supports anonymous binds, you may choose to bind without specifying a username and password. Anonymous binding is considered insecure and is disabled by default on most LDAP servers.

Username

Enter a username for the bind credentials.

Password and Confirm Password

Enter and confirm a password for the bind credentials.

Connection Method

If you are using an external directory store in the same LAN as your B Series Appliance, the two systems may be able to communicate directly, in which case you can leave the option Proxy from appliance through the Connection Agent unchecked and move on.

If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall or if you are a BeyondTrust Cloud customer, you must use a connection agent. Downloading the Win32 connection agent enables your directory server and your B Series Appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

In the case above, check Proxy from appliance through the Connection Agent (not applicable to BeyondTrust Cloud customers). Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

BeyondTrust Cloud customers must run the connection agent in order to use an external directory store.

Directory Type

To aid in configuring the network connection between your B Series Appliance and your security provider, you can select a directory type as a template. This pre-populates the configuration fields below with standard data but must be modified to match your security provider's specific configuration. Active Directory LDAP is the most common server type, though you can configure BeyondTrust to communicate with most types of security providers.

Cluster Settings (Visible Only for Clusters)

Member Selection Algorithm

Select the method to search the nodes in this cluster.

Top-to-bottom first attempts the server with the highest priority in the cluster. If that server is unavailable or the account is not found, the next highest priority server is attempted. The search moves down through the list of clustered servers until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

Round-robin is designed to balance the load between multiple servers. The algorithm chooses at random which server to attempt first. If that server is unavailable or the account is not found, another random server is attempted. The search continues at random through the remaining servers in the cluster until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

Retry Delay

Set how long to wait after a cluster member becomes unavailable before trying that cluster member again.

User Schema Settings

Override Cluster Values (Visible Only for Cluster Nodes)

If this option is unchecked, this cluster node will use the same schema settings as the cluster. If unchecked, you may modify the schema settings below.

Search Base DN

Determine the level in your directory hierarchy, specified by a distinguished name, at which the B Series Appliance should begin searching for users. Depending on the size of your directory store and the users who require BeyondTrust accounts, you may improve performance by designating the specific organizational unit within your directory store that requires access. If you are not sure or if users span multiple organizational units, you may want to specify the root distinguished name of your directory store.

User Query

Specify the query information that the B Series Appliance should use to locate an LDAP user when the user attempts to log in. The User Query field accepts a standard LDAP query (RFC 2254 – String Representation of LDAP Search Filters). You can modify the query string to customize how your users log in and what methods of usernames are accepted. To specify the value within the string that should act as the username, replace that value with *.

Browse Query

The browse query affects how results are displayed when browsing via group policies. This filters results so that only certain results display in the member selection dropdown when adding members to a group policy.

Object Classes

Specify valid object classes for a user within your directory store. Only users who posses one or more of these object classes will be permitted to authenticate. These object classes are also used with the attribute names below to indicate to your B Series Appliance the schema the LDAP server uses to identify users. You can enter multiple object classes, one per line.

Attribute Names

Specify which fields should be used for a user's unique ID, display name, and email address.

Unique ID

This field requests a unique identifier for the object. While the distinguished name can serve as this ID, a user's distinguished name may change frequently over the life of the user, such as with a name or location change or with the renaming of the LDAP store. Therefore, most LDAP servers incorporate some field that is unique per object and does not change for the lifetime of the user. If you do use the distinguished name as the unique ID and a user's distinguished name changes, that user will be seen as a new user, and any changes made specifically to the individual's BeyondTrust user account will not be carried over to the new user. If your LDAP server does not incorporate a unique identifier, use a field that is least likely to have an identical entry for another user.

E-mail

This determines which field should be used as the user's email address.

Display Name

This determines which field should be used as the user's display name.

Group Schema Settings (Visible Only if Performing Group Lookups)

Directory Type

To aid in configuring the network connection between your B Series Appliance and your security provider, you can select a directory type as a template. This pre-populates the configuration fields below with standard data but must be modified to match your security provider's specific configuration. Active Directory LDAP is the most common server type, though you can configure BeyondTrust to communicate with most types of security providers.

Search Base DN

Determine the level in your directory hierarchy, specified by a distinguished name, at which the B Series Appliance should begin searching for groups. Depending on the size of your directory store and the groups that require access to the B Series Appliance, you may improve performance by designating the specific organizational unit within your directory store that requires access. If you are not sure or if groups span multiple organizational units, you may want to specify the root distinguished name of your directory store.

Browse Query

The browse query affects how results are displayed when browsing via group policies. This filters results so that only certain results display in the member selection dropdown when adding members to a group policy.

Object Classes

Specify valid object classes for a group within your directory store. Only groups that possess one or more of these object classes will be returned. These object classes are also used with the attribute names below to indicate to your B Series Appliance the schema the LDAP server uses to identify groups. You can enter multiple group object classes, one per line.

Attribute Names

Specify which fields should be used for a group's unique ID and display name.

Unique ID

This field requests a unique identifier for the object. While the distinguished name can serve as this ID, a group's distinguished name may change frequently over the life of a group, such as with a location change or with the renaming of the LDAP store. Therefore, most LDAP servers incorporate some field that is unique per object and does not change for the lifetime of the group. If you do use the distinguished name as the unique ID and a group's distinguished name changes, that group will be seen as a new group, and any group policies defined for that group will not be carried over to the new group. If your LDAP server does not incorporate a unique identifier, use a field that is least likely to have an identical entry for another group.

Display Name

This value determines which field should be used as the group's display name.

User to Group Relationships

This field requests a query to determine which users belong to which groups or, conversely, which groups contain which users.

Perform recursive search for groups

You can choose to perform a recursive search for groups. This will run a query for a user, then queries for all of the groups to which that user belongs, then queries for all groups to which those groups belong, and so forth, until all possible groups associated with that user have been found.

Running a recursive search can have a significant impact on performance, as the server will continue to issue queries until it has found information about all groups. If it takes too long, the user may be unable to log in.

A non-recursive search will issue only one query per user. If your LDAP server has a special field containing all of the groups to which the user belongs, recursive search is unnecessary. Recursive search is also unnecessary if your directory design does not handle group members of groups.

Test Settings

Username and Password

Enter a username and password for an account that exists on the server you are testing. This account must match the criteria for login specified in the configuration above.

Try to obtain user attributes and group memberships if the credentials are accepted

If this option is checked, your successful credential test will also attempt to check user attributes and group lookup. Note that for these features to be successfully tested, they must be supported and configured in your security provider.

Start Test

If your server is properly configured and you have entered a valid test username and password, you will receive a success message. Otherwise, you will see an error message and a log that will help in debugging the problem.

Edit Security Provider - RADIUS

Name

Create a unique name to help identify this provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

Keep display name synchronized with remote system

Checking this option keeps a user's display name set to the name designated on the security provider rather than allowing the display name to be modified in BeyondTrust.

Authorization Settings

Only allow the following users

You can choose to allow access only to specified users on your RADIUS server. Enter each username separated by a line break. Once entered, these users will be available from the Add Policy Member dialog when editing group policies on the /login > Users & Security > Group Policies page.

If you leave this field blank, all users who authenticate against your RADIUS server will be allowed; if you allow all, you must also specify a default group policy.

LDAP Group Lookup

If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Connection Settings

Hostname

Enter the hostname of the server that houses your external directory store.

Port

Specify the authentication port for your RADIUS server. This is typically port 1812.

Timeout (seconds)

Set the length of time to wait for a response from the server. Note that if the response is Response-Accept or Response-Challenge, then RADIUS will wait the entire time specified here before authenticating the account. Therefore, it is encouraged to keep this value as low as reasonably possible given your network settings. An ideal value is 3-5 seconds, with the maximum value at three minutes.

Connection Method

If you are using an external directory store in the same LAN as your B Series Appliance, the two systems may be able to communicate directly, in which case you can leave the option Proxy from appliance through the Connection Agent unchecked and move on.

If the two systems are unable to communicate directly, such as if your external directory server is behind a firewall or if you are a BeyondTrust Cloud customer, you must use a connection agent. Downloading the Win32 connection agent enables your directory server and your B Series Appliance to communicate via an SSL-encrypted, outbound connection, with no firewall configuration. The connection agent can be downloaded to either the directory server or a separate server on the same network as your directory server (recommended).

In the case above, check Proxy from appliance through the Connection Agent (not applicable to BeyondTrust Cloud customers). Create a Connection Agent Password for use in the connection agent installation process. Then click Download Connection Agent, run the installer, and follow the installation wizard. During installation, you will be prompted to enter the security provider name and the connection agent password you created above.

Shared Secret

Provide a new shared secret so that your B Series Appliance and your RADIUS server can communicate.

Cluster Settings (Visible Only for Clusters)

Member Selection Algorithm

Select the method to search the nodes in this cluster.

Top-to-bottom first attempts the server with the highest priority in the cluster. If that server is unavailable or the account is not found, the next highest priority server is attempted. The search moves down through the list of clustered servers until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

Round-robin is designed to balance the load between multiple servers. The algorithm chooses at random which server to attempt first. If that server is unavailable or the account is not found, another random server is attempted. The search continues at random through the remaining servers in the cluster until either the account is found or it is determined that the account does not exist on any of the specified and available servers.

Retry Delay

Set how long to wait after a cluster member becomes unavailable before trying that cluster member again.

Test Settings

Username and Password

Enter a username and password for an account that exists on the server you are testing. This account must match the criteria for login specified in the configuration above.

Try to obtain user attributes and group memberships if the credentials are accepted

If this option is checked, your successful credential test will also attempt to check user attributes and group lookup. Note that for these features to be successfully tested, they must be supported and configured in your security provider.

Start Test

If your server is properly configured and you have entered a valid test username and password, you will receive a success message. Otherwise, you will see an error message and a log that will help in debugging the problem.

Edit Security Provider - Kerberos

Name

Create a unique name to help identify this provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

Keep display name synchronized with remote system

Checking this option keeps a user's display name set to the name designated on the security provider rather than allowing the display name to be modified in BeyondTrust.

Strip realm from principal names

Select this option to remove the REALM portion from the User Principal Name when constructing the BeyondTrust username.

Authorization Settings

User Handling Mode

Select which users can authenticate to your B Series Appliance. Allow all users allows anyone who currently authenticates via your KDC. Allow only user principals specified in the list allows only user principles explicitly designated. Allow only user principals that match the regex allows only users principals who match a Perl-compatible regular expression (PCRE).

SPN Handling Mode: Allow only SPNs specified in the list

If unchecked, all configured Service Principal Names (SPNs) for this security provider are allowed. If checked, select specific SPNs from a list of currently configured SPNs.

If you want users on this security provider to be associated with their groups on a separate LDAP server, choose one or more LDAP group servers to use for group lookup.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Edit Security Provider - SAML2

Name

Enter a unique name to identify the provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

User Provision

By default, user provisioning occurs on this provider. If you have a SCIM provider set up, you can choose to provision users through that provider instead.

This setting cannot be modified after this security provider is first saved.

Associated Email Domains

This setting only applies if you have more than one active SAML provider and is ignored otherwise.

Add any email domains that should be associated with this SAML provider, one per line. When authenticating, users are asked to enter their email. The domain of their email is matched against this list, and they are redirected to the appropriate identity provider for authentication.

If multiple SAML providers are configured and the user's email does not match any of the associated domain on any provider, then they are not allowed to authenticate.

Identity Provider Settings

Identity Provider Metadata

The metadata file contains all the information needed for the initial setup of your SAML provider and must be downloaded from your identity provider. Save the XML file, and then click Choose File to select and upload the selected file.

The fields for Entity ID, Single Sign-On Service URL, and Certificate are automatically populated from the identity provider's metadata file. If you cannot get a metadata file from your provider, this information can be entered manually.

Entity ID

This is the unique identifier for the identity provider you are using.

Single Sign-On Service URL

This is the URL where you are automatically redirected to log in to BeyondTrust Privileged Remote Access using SAML.

SSO URL Protocol Binding

This determines whether an HTTP POST occurs or whether the user is redirected to the sign-on URL. Choose HTTP redirect if not specified by the provider.

If request signing is enabled (under Service Provider settings), protocol binding is limited to redirect only.

Server Certificate

This certificate is used to verify the signature of the assertion sent from the identity provider. Click +UPLOAD to open a file browse window, navigate to the certificate, and click Open.

Service Provider Settings

Service Provider Metadata

Download the BeyondTrust metadata, which you then need to upload to your identity provider.

Entity ID

This is your BeyondTrust URL. It uniquely identifies your site to the identity provider.

Private Key

If necessary, you can decrypt messages sent by the identity provider, if they support and require encryption. Click CHOOSE FILE to upload the private key necessary to decrypt the messages sent from the identity provider.

Signed AuthnRequest

Check to enable request signing. If enabled, SSO URL protocol binding is limited to redirect only. The SSO URL protocol binding field is updated automatically, if necessary.

A private key and signing certificate is required for request signing.

User Attribute Settings (Visible Only if This Provider is Used for User Provisioning)

User SAML Attributes

These attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers. If you are creating your own SAML connector, you may need to modify the attributes to match what is being sent by your identity provider.

Authorization Settings (Visible Only if This Provider is Used for User Provisioning)

Lookup Groups Using This Provider

Enabling this feature allows faster provisioning by automatically looking up groups for this user, using Group Lookup Attribute Name and Delimiter. We recommend enabling this feature. If not used, SAML users must be manually assigned to group policies after their first successful authentication.

Group Lookup Attribute Name

Enter the name of the SAML attribute that contains the names of groups to which users should belong. If the attribute value contains multiple group names, then specify the Delimiter used to separate their names.

If left blank, SAML users must be manually assigned to group policies after their first successful authentication.

Group Lookup Delimiter

If the Delimiter is left blank, then the attribute value may contain multiple XML nodes with each one containing a different name.

Available Groups

This is an optional list of SAML groups always available to be manually assigned to group policies. If left blank, a given SAML group is made available only after the first successful authentication of a user member of such group. Please enter one group name per line.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

For more information, please see SAML for Single Sign-On Authentication.

Edit Security Provider - SCIM

For SCIM to function, the SCIM API must be enabled on an API account, and the API must be configured on your SCIM provider. API accounts are managed at /login > Management > API Configuration. At this time, only one SCIM provider can be created. Once a SCIM provider has been created, the SCIM option is no longer available from the Create Provider dropdown. SCIM user provisioning utilizes SCIM 2.0 Users and Group objects. For more information about the SCIM 2.0 standard, please see https://scim.cloud/.

Privileged Remote Access now supports SCIM APIs for groups of users. Once you have configured a SCIM provider in /login and configured users and groups in your SCIM solution, PRA reflects the same groups as what is present in your SCIM solution, allowing you to select group polices by SCIM group.

Name

Create a unique name to help identify this provider.

Enabled

If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

SCIM User Query ID

From the dropdown, select the unique ID that SCIM should use for user queries.

SCIM Group Query ID

From the dropdown, select the unique ID that SCIM should use for group queries.

User Provision Settings

User Attribute

These attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers.

Authorization Settings

Unique ID

Enter the SCIM attribute to use as the user's unique ID within BeyondTrust.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Attribute Name

Enter the name of the SCIM attribute that identifies users uniquely.

The groups provisioned with SCIM are always uniquely identified case-insensitively through their name for Group Lookup purposes.