BlokSec and BeyondTrust Remote Support for Representatives
Traditional remote access methods such as RDP, VPN, and legacy remote desktop tools lack granular access management controls. These processes enable easy exploits via stolen credentials and session hijacking. Extending remote access to your vendors makes matters even worse.
BeyondTrust Secure Remote Access enables organizations to apply least privilege and audit controls to all remote access from employees, vendors, and service desks. BlokSec provides users the ability to securely connect without the hassle of passwords or MFA. Representatives and public portals are supported.
Remote Support for representatives provides the ability to configure a SAML authentication provider, which needs to be configured to point to BlokSec instance. Configuration is required in both products.
To learn more about BlokSec, please see .
Prerequisites
- Installed BeyondTrust Remote Support instance
- Installed BlokSec instance
- BlokSec test users with mobile app installed
Remote Support for Representatives
Create Remote Support for Representatives Application in the BlokSec Administration Console
Log in to Bloksec and follow the steps below:
- From the dashboard, click + Add Application.
- Select Create from Template.
- Select the BeyondTrust Remote Support and Privileged Remote Access for Representatives template.
- On the Create Application screen:
- Replace {your-instance-url} in the Entity ID and Assertion Consumer Service URLs with the URL of your BeyondTrust site (for example, eval######.beyondtrustcloud.com or your customer URL).
- Set the NameID Source to User email.
- Edit the Groups attribute and set the Value to the group name, which is passed with the SAML assertion.
- Submit the new application, and then make note of the SSO Uri, and view and save the X.509 Signing Certificate in a new file, for example, signing_cert.pem.
Configure the SAML for Representatives Identity Provider in BeyondTrust
Log in to BeyondTrust Remote Support. Continue with the steps below.
- Click the Users & Security > Security Providers tab, click + Add, and select SAML for Representatives.
- Under Identity Provider Settings:
- Enter the Entity ID: https://api.bloksec.io
- Set the Single Sign-On Service URL to the SSO Uri value provided by BlokSec when the new application was submitted in the BlokSec Administration Console. For example, https://api.bloksec.io/sso/SingleSignOnService/{unique ID}.
- Click + UPLOAD CERTIFICATE and upload the certificate downloaded from BlokSec when the new application was submitted in the BlokSec Administration Console.
- Under Authorization Settings, choose the group to be used for the Default Group Policy.
Test the Configuration
- Go to the BlokSec administration console, and navigate to the newly created BeyondTrust Remote Support for Representatives application.
- Click the settings icon.
- Select Create Account.
- Go to the BeyondTrust instance’s login page (for example, https://eval######.beyondtrustcloud.com/login/login) and click Use SAML Authentication.
- Enter the username created in the step above.
- BlokSec sends a push notification to the user's mobile application to authenticate the representative.
- The representative can review the request, and then approve it. The device performs a biometric authentication (e.g., fingerprint or facial recognition depending on the mobile device's capabilities), and then a digital signature is sent to the BlokSec service to verify the representative's authenticity.
- The representative is securely logged into the BeyondTrust Remote Support console.
