Create and Configure a SAML Security Provider for Representatives and Public Portals

 

Add Security Provider

  1. Go to /login > Users & Security > Security Providers.
  2. Click Add.
  3. From the dropdown, select the type of provider you want to configure.

You can configure only one SAML provider for representatives and one SAML provider for public portals.

 

SAML For Representatives Settings

Name

The name for your SAML provider is auto-generated and cannot be edited at this time.

Enabled

If checked, your Secure Remote Access Appliance can search this security provider when a user attempts to log into the representative console or /login. If unchecked, this provider will not be searched.

Identity Provider Settings

Metadata

The metadata file contains all the information needed for the initial setup of your SAML provider and must be downloaded from your identity provider. Save the xml file, and then click Upload Identity Provider Metadata to select and upload the selected file.

Entity ID

Unique identifier for the identity provider you are using.

Server Certificate

This certificate will be used to verify the signature of the assertion sent from the identity provider.

The fields for Entity ID, Single Sign-On Service URL, and Certificate are automatically populated from the identity provider's metadata file. If you cannot get a metadata file from your provider, this information can be entered manually.

Single Sign-On Service URL

When you want to log into BeyondTrust using SAML, this is the URL where you are automatically redirected so you can log in.

SSO URL Protocol Binding

Determines whether a user posts or is redirected to the sign on URL. This should be left defaulted to redirect unless otherwise required by the identity provider.

Service Provider Settings

Download Service Provider Metadata

Download the BeyondTrust metadata, which must then be uploaded to your identity provider.

Entity ID

This is your BeyondTrust URL. It uniquely identifies the service provider.

Private Key

If necessary, you can decrypt messages sent by the identity provider, if they support and require encryption. Click Choose File to upload the private key necessary to decrypt the messages sent from the identity provider.

User Attribute Settings

SAML attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers. If you are creating your own SAML connector, you may need to modify the attributes to match what is being sent by your identity provider. If your identity provider requires case-insensitivity for the NameID attribute, select Use case-insensitive comparison for NameIDs.

Authorization Settings

Group Lookup Attribute Name

This is the SAML attribute that contains the names of groups to which users should belong. The default name for the BeyondTrust applications is "Groups".

Delimiter

If the attribute value contains multiple group names, you need to specify the delimiter used to separate their names. If the delimiter is left blank, then the attribute value may contain multiple XML nodes with each one containing a different name.

Available Groups

Allows a predefined list of groups to be associated with the security provider. This list can then be used to associate a group with the appropriate group policy.

Default Group Policy

Select the default group to which users will be assigned. Users will be assigned settings defined in the default group policy only if they do not belong to another group policy that defines those settings.

SAML For Public Portals Settings

Name

The name for your SAML provider is auto-generated and cannot be edited at this time.

Enabled

If checked, your Secure Remote Access Appliance can search this security provider when a user attempts to log into the public portal. If unchecked, this provider will not be searched.

Identity Provider Settings

Metadata

The metadata file contains all the information needed for the initial setup of your SAML provider and must be downloaded from your identity provider. Save the xml file, and then click Upload Identity Provider Metadata to select and upload the selected file.

Entity ID

Unique identifier for the identity provider you are using.

Server Certificate

This certificate will be used to verify the signature of the assertion sent from the identity provider.

The fields for Entity ID, Single Sign-On Service URL, and Certificate are automatically populated from the identity provider's metadata file. If you cannot get a metadata file from your provider, this information can be entered manually.

Single Sign-On Service URL

When you want to log into BeyondTrust using SAML, this is the URL where you are automatically redirected so you can log in.

SSO URL Protocol Binding

Determines whether a user posts or is redirected to the sign on URL. This should be left defaulted to redirect unless otherwise required by the identity provider.

Service Provider Settings

Download Service Provider Metadata

Download the BeyondTrust metadata, which must then be uploaded to your identity provider.

Entity ID

This is your BeyondTrust URL. It uniquely identifies the service provider.

Private Key

If necessary, you can decrypt messages sent by the identity provider, if they support and require encryption. Click Choose File to upload the private key necessary to decrypt the messages sent from the identity provider.

User Attribute Settings

SAML attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers. If you are creating your own SAML connector, you may need to modify the attributes to match what is being sent by your identity provider. The SAML attributes can also be associated with customer sessions by adding custom fields with matching code names on the Custom Fields page in /login.

Enable SAML Authentication on a Public Site

Once SAML for Public Portals settings have been configured, you can enable SAML authentication on a public site in /login as follows:

Image of Require SAML Authentication setting on a Public Site in /login.

  1. Go to Public Portals > Public Sites.
  2. Click Edit next to the desired public site.
  3. Select Require SAML Authentication.
  4. Click Save.