Create and Configure the SAML Security Provider

Security Providers Add

Go to /login > Users & Security > Security Providers.

From the Add dropdown, select the type of server you want to configure.

You can configure only one SAML provider.


Add Security Provider


This unique name helps to identify your provider. The name for your SAML provider is auto-generated and cannot be edited at this time.


If checked, your B Series Appliance can search this security provider when a user attempts to log in. If unchecked, this provider will not be searched.

User Provision

By default, user provisioning occurs on this provider. If you have a SCIM provider set up, you can choose to provision users through that provider instead.

This setting cannot be modified after this security provider is first saved.

Identity Provider Settings

Identity Provider Metadata

The metadata file contains all the information needed for the initial setup of your SAML provider and must be downloaded from your identity provider. Save the XML file, and then click Choose File to select and upload the selected file.

The fields for Entity ID, Single Sign-On Service URL, and Certificate are automatically populated from the identity provider's metadata file. If you cannot get a metadata file from your provider, this information can be entered manually.

Entity ID

This is the unique identifier for the identity provider you are using.

Single Sign-On Service URL

When you want to log into BeyondTrust using SAML, this is the URL where you are automatically redirected so you can log in.

SSO URL Protocol Binding

This determines whether an HTTP POST occurs or whether the user is redirected to the sign-on URL. This should be left as redirect unless otherwise required by the identity provider.

Server Certificate

This certificate is used to verify the signature of the assertion sent from the identity provider.

Service Provider Settings

Service Provider Metadata

Download the BeyondTrust metadata, which you then need to upload to your identity provider.

Entity ID

This is your BeyondTrust URL. It uniquely identifies your site to the identity provider.

Private Key

If necessary, you can decrypt messages sent by the identity provider, if they support and require encryption. Click Choose File to upload the private key necessary to decrypt the messages sent from the identity provider.

User Provision Settings (Visible Only if This Provider is Used for User Provisioning)

User SAML Attribute

These attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers. If you are creating your own SAML connector, you may need to modify the attributes to match what is being sent by your identity provider.

Authorization Settings (Visible Only if This Provider is Used for User Provisioning)

Group Lookups

This is the SAML attribute that contains the names of groups to which users should belong. The default name for the BeyondTrust applications is "Groups".

If the attribute value contains multiple group names, you need to specify the delimiter used to separate their names. If the delimiter is left blank, then the attribute value may contain multiple XML nodes with each one containing a different name.

Available Groups

Allows a predefined list of groups to be associated with the security provider. This list can then be used to associate a group with the appropriate group policy.

Default Group Policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

Note that if a default policy is defined, then any allowed user who authenticates against this server will potentially have access at the level of this default policy. Therefore, it is recommended that you set the default to a policy with minimum privileges to prevent users from gaining permissions that you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy will always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.