Integrate BlokSec and BeyondTrust Privileged Remote Access
Traditional remote access methods such as RDP, VPN, and legacy remote desktop tools lack granular access management controls. These processes enable easy exploits via stolen credentials and session hijacking. Extending remote access to your vendors makes matters even worse.
BeyondTrust Privileged Remote Access enables organizations to apply least privilege and audit controls to all remote access from employees, vendors, and service desks. BlokSec provides users the ability to securely connect without the hassle of passwords or MFA.
Integrating Privileged Remote Access with BlokSec requires configuring a BlokSec instance and configuring a SAML authentication provider in Privileged Remote Access.
To learn more about BlokSec, please see the BlockSec website.
Prerequisites
- Installed BeyondTrust Privileged Remote Access instance
- Installed BlokSec instance
- BlokSec test users with mobile app installed
Create Privileged Remote Access Application in the BlokSec Administration Console
Log in to Bloksec and follow the steps below:
- From the dashboard, click + Add Application.
- Select Create from Template.
- Select the BeyondTrust Remote Support and Privileged Remote Access for Representatives template.
- On the Create Application screen:
- Replace {your-instance-url} in the Entity ID and Assertion Consumer Service URLs with the URL of your BeyondTrust site (for example, eval######.beyondtrustcloud.com or your customer URL).
- Set the NameID Source to User email.
- Edit the Groups attribute and set the Value to the group name, which is passed with the SAML assertion.
- Submit the new application, and then make note of the SSO Uri, and view and save the X.509 Signing Certificate in a new file, for example, signing_cert.pem.
Configure the SAML Identity Provider in BeyondTrust
Log in to BeyondTrust Privileged Remote Access. Continue with the steps below.
- Click the Users & Security > Security Providers tab, click + Add, and select SAML2.
- Under Identity Provider Settings:
- Enter the Entity ID: https://api.bloksec.io
- Set the Single Sign-On Service URL to the SSO Uri value provided by BlokSec when the new application was submitted in the BlokSec Administration Console. For example, https://api.bloksec.io/sso/SingleSignOnService/{unique ID}.
- Click + UPLOAD CERTIFICATE and upload the certificate downloaded from BlokSec when the new application was submitted in the BlokSec Administration Console.
- Under Authorization Settings, choose the group to be used for the Default Group Policy.
Test the Configuration
- Go to the BlokSec administration console, and navigate to the newly created BeyondTrust Privileged Remote Access application.
- Click the settings icon.
- Select Create Account.
- Go to the BeyondTrust instance’s login page (for example, https://eval######.beyondtrustcloud.com/login/login) and click Use SAML Authentication.
- Enter the username created in the step above. This screen and the next may show Remote Support instead of Privileged Remote Access.
- BlokSec sends a push notification to the user's mobile application to authenticate the representative.
- The representative can review the request, and then approve it. The device performs a biometric authentication (e.g., fingerprint or facial recognition depending on the mobile device's capabilities), and then a digital signature is sent to the BlokSec service to verify the representative's authenticity.
- The representative is securely logged into the BeyondTrust Privileged Remote Access console.
