Configure SAML 2.0 for Privileged Remote Access
Using Beyond Identity with SAML for Privileged Remote Access provides several benefits:
- Provides strong, unphishable multi-factor access and policy-based access controls to ensure high-trust authentication for admin accounts.
- Ensures only devices that meet the company’s security policy have access to admin accounts.
- Establishes identity before privileged actions on an endpoint are allowed, using a frictionless step-up authentication.
- Creates a zero-trust PAM architecture: the system doesn’t trust the user until they pass a high-assurance authentication and doesn’t trust their device unless it meets security policies.
- Eliminates passwords and the corresponding vulnerabilities from privileged accounts.
Beyond Identity can validate a device’s security posture before allowing access to Privileged Remote Access.
To use the Beyond Identity app, you must download and install the application, and configure it and BeyondTrust Privileged Remote Access to work together. The integration is configured using POST, not redirect.
Download the Beyond Identity App
Go to the Beyond Identity Download site.
Download and install the Beyond Identity app, and then use the app to authenticate your instance of Beyond Identity.
Follow the steps below to download and configure the Beyond Identity app:
- If Beyond Identity is already open in a browser tab, open a new browser tab for BeyondTrust Privileged Remote Access.
- Go to the admin interface of the Privileged Remote Access instance.
- Click Users & Security on the left menu, and then click the Security Providers tab.
- Click Add and select SAML2.
- Scroll down and expand the Service Provider Settings.
- Locate the Assertion Consumer Service URL and the Entity ID. These are required for Beyond Identity. Alternately, click Download Service Provider Metadata.
- If Beyond Identity is not already open, open it in a new browser tab.
- Click Integrations on the left menu.
- Click the SAML tab.
- Click Add SAML Connection.
- If you have downloaded the service provider metadata, click Upload XML and locate the file on your device.
- If you have not downloaded the information, then:
- Copy the Assertion Consumer Service URL in Privileged Remote Access to SP Single Sign On URL in Beyond Identity.
- Copy the Entity ID in Privileged Remote Access to SP Audience URI in Beyond Identity.
- In Beyond Identity, configure Attribute Statements. Groups includes a PRA group to be assigned via the SAML assertion.
- In Beyond Identity, click Save Changes.
- In the SAML Connections panel, locate the connection just added.
- For the new connection:
- Click the Download Certificate icon.
- Click the Download Metadata icon </>.
- Return to the browser tab for the admin interface of the BeyondTrust Privileged Remote Access instance.
- In the Privileged Remote Access admin interface:
- Click Upload Identity Provider Metadata and locate the file on your device.
- Click Upload Certificate (or Replace Certificate, if required), and locate the file on your device.
- Scroll down and expand the User Attribute Settings.
- Configure based on the attribute names configured in Beyond Identity.
- Scroll down and expand Authorization Settings.
- Configure as required. A Default Group Policy must be selected.
- Click Save.
- Log out of BeyondTrust Privileged Remote Access.
Test Beyond Identity on your Device
To test Single Sign-On using SAML with the Beyond Identity app, ensure you are logged out of all instances of BeyondTrust Privileged Remote Access.
On the login page for Privileged Remote Access, click Use SAML Authentication.
A screen shows the Beyond Identity app verifying identity.
After successful verification, you are authenticated in Privileged Remote Access.
For more information, please see SAML for Single Sign-On Authentication.
Should you need any assistance, please contact BeyondTrust Technical Support at www.beyondtrust.com/support.