Configure SAML 2.0 for Remote Support

Using Beyond Identity with SAML for Remote Support provides several benefits:

  • Provides strong, unphishable multi-factor access and policy-based access controls to ensure high-trust authentication for admin accounts.
  • Ensures only devices that meet the company’s security policy have access to admin accounts.
  • Establishes identity before privileged actions on an endpoint are allowed, using a frictionless step-up authentication.
  • Creates a zero-trust PAM architecture: the system doesn’t trust the user until they pass a high-assurance authentication and doesn’t trust their device unless it meets security policies.
  • Eliminates passwords and the corresponding vulnerabilities from privileged accounts.

Beyond Identity can validate a device’s security posture before allowing access to Remote Support.

Editing access rule conditions in Beyond Idenitty.

Beyond Identity can provide insights into access activity.

Beyond Indentity access map, showing counts of access by country.

To use the Beyond Identity app, you must download and install the application, and configure it and BeyondTrust Remote Support to work together. The integration is configured using POST, not redirect. The integration can be used to authenticate SAML for representatives and public sites.

Download the Beyond Identity App

Web page for downloading Beyond Identity

Go to the Beyond Identity Download site.

Download and install the Beyond Identity app, and then use the app to authenticate your instance of Beyond Identity.

Configure Beyond Identity for Representatives

Follow the steps below to download and configure the Beyond Identity app for a representative.

BeyondTrust page for adding SAML.

  1. If Beyond Identify is already open in a browser tab, open a new browser tab for BeyondTrust Remote Support.
  2. Go to the /login interface of the Remote Support instance.
  3. Click Users & Security on the left menu, and then click the Security Providers tab.
  4. Click Add and select SAML for Representatives.

 

Screenshot of BeyondTrust page for obtaining service provider metadata.

  1. Scroll down and expand the Service Provider Settings.
  2. Locate the Assertion Consumer Service URL and the Entity ID. These are required for Beyond Identity. Alternately, click Download Service Provider Metadata.

 

Integrations for SAML connections.

  1. If Beyond Identity is not already open, open it in a new browser tab.
  2. Click Integrations in the left menu.
  3. Click the SAML tab.
  4. Click Add SAML Connection.

 

Beyond Identity page for editing the SAML connection.

  1. If you have downloaded the service provider metadata, click Upload XML and locate the file on your device.
  2. If you have not downloaded the information, then:
    • Copy the Assertion Consumer Service URL in Remote Support to SP Single Sign On URL in Beyond Identity.
    • Copy the Entity ID in Remote Support to SP Audience URI in Beyond Identity.

 

Configuring attribute statements in Beyond Identity.

  1. In Beyond Identity, configure Attribute Statements. Groups includes a RS group to be assigned via the SAML assertion.

 

SAML connection download screen in Beyond Identity.

  1. In Beyond Identity, click Save Changes.
  2. In the SAML Connections panel, locate the connection just added.
  3. For the new connection:
    • Click the Download Certificate icon.
    • Click the Download Metadata icon </>.

 

BeyondTrust page for uploading identity provider metadata and certificate.

  1. Return to the browser tab for the /login interface of the BeyondTrust Remote Support instance.
  2. In the Remote Support /login interface:
    • Click Upload Identity Provider Metadata and locate the file on your device.
    • Click Upload Certificate (or Replace Certificate, if required), and locate the file on your device.

 

BeyondTrust page for setting user attributes.

  1. Scroll down and expand the User Attribute Settings.
  2. Configure based on the attribute names configured in Beyond Identity.

 

BeyondTrust page for configuring authorization.

  1. Scroll down and expand Authorization Settings.
  2. Configure as required. A Default Group Policy must be selected.
  3. Click Save.
  4. Log out of BeyondTrust Remote Support.

Test Beyond Identity on your Device

To test Single Sign-On using SAML with the Beyond Identity app, ensure you are logged out of all instances of BeyondTrust Remote Support.

BeyondTrust Remote Support login page, with option to use SAML authentication.

On the login page for Remote Support, click Use SAML Authentication.

 

"Verifying your identity" message displays from the Beyond Identity app during login.

A screen shows the Beyond Identity app verifying Identity.

 

BeyondTrust Remote Support My Account screen, after login using SAML and Beyond Identity.

After successful verification, you are authenticated in Remote Support.

 

Configure Beyond Identity for Public Portals or Sites

Repeat the steps for Configure Beyond Identity for Representatives with the following changes:

In step 4, select SAML For Public Portals.

After saving the configuration in the Remote Support (step 23), do not log out. Instead, continue with these additional steps:

  1. Select Public Portals on the left menu, and then the Public Sites tab.
  2. Click Add. In the BeyondTrust instance, click Public Portals, and then Public Sites.

BeyondTrust page for public portals, with "Require SAML authentication" checked.

  1. Enter the site information, and check the Require SAML Authentication box.
  2. Click Save.
  3. Log out of BeyondTrust Remote Support.

 

BeyondTrust Remote Support support portal after SMAL authentication by Beyond Identity.

When using the URL for your public sites, SAML authentication occurs via Beyond Identity.

 

For more information, please see Create and Configure the SAML Security Provider.

Should you need any assistance, please contact www.beyondtrust.com/support.