HYPR

Service provider configuration

Password Safe administration is performed using the BeyondInsight Management Console. Log in to the BeyondInsight Management Console web page with an administrative username and password. Follow the BeyondTrust instructions for setting it up as a SAML service provider.

ℹ️

Note

For more information about Password Safe and SAML configuration, see Configure SAML in BeyondInsight.

ℹ️

Note

The HYPR metadata information is available at this link: https:///auth/realms//protocol/saml/descriptor.

⚠️

Important

Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit <https://www.hypr.com/support> or https://www.keycloak.org.

Sample SAML configuration

Log in to BeyondInsight.

1. From the left sidebar, click Configuration.
2. Under Authentication Management, click SAML Configuration.
3. Click Create new SAML Identity Provider.
4. Fill in fields with the appropriate values.

Identity provider configuration (HYPR/Keycloak)

Create new client by importing the BeyondTrust metadata

1. Log in to the Keycloak admin page and select the BeyondTrust realm in the dropdown.
2. Click Clients in the left navigation menu.
3. Once the Clients page opens, click Import client.
4. Click Browse and select the SAML metadata file exported from Password Safe. The Client ID field will be filled automatically; you can also manually enter a Name. This example uses BeyondTrustPSClient.
5. Click Save.

Configure new client settings

1. Log in to the Keycloak admin page and select the BeyondTrust realm from the dropdown.

2. Click Clients in the left navigation menu. A list of clients populates the main pane.

3. Select the client you just created.

4. A set of tabs displays for the client properties:

   • Settings
   • Keys
   • Credentials
   • Roles
   • Client scopes
   • Sessions
   • Advanced

   The following sections describe each tab and the subsections therein.

Configure general settings on the Settings tab

Configure access settings on the Settings tab

Leave all fields blank except for Valid redirect URIs and Valid post logout redirect URIs.

Configure SAML capabilities on the Settings tab

Configure signature and encryption on the Settings page

Configure login settings on the Settings tab

Configure logout on the Settings tab

Configure the Keys tab

No configuration changes are needed in this section.

Configure the Credentials tab

No configuration changes are needed in this section.

Configure the Roles tab

No configuration changes are needed in this section.

Configure the Client Scopes tab

Attribute mappings must be added here.

1. Click the URL in the Assigned client scope column to open the Mappers dialog.
2. Click Add mapper and complete the Group list properties for Group.

3. Click Save when complete.
4. Click Add Mapper again and create a User Attribute called Name.

5. Click Save when complete.

Configure the Sessions tab

No configuration changes are needed in this section.

Configure the Advanced tab

Log in to Password Safe with HYPR

ℹ️

Note

Make sure to install the HYPR Mobile App on your mobile device before proceeding.

SAML Kickoff URL:

https://.ps.beyondtrustcloud.com/eEye.RetinaCSSAML

1. Launch the Password Safe login.
2. Enter your username in the HYPR login page, then click Sign In.
3. Complete the login using your HYPR Mobile App.
4. You will receive a push notification on the HYPR Mobile App. Click Login. The HYPR Mobile App will verify your identity (with FaceID, TouchID, etc.); foll