PingOne Advanced Identity Cloud

Ping Identity is a leading provider of seamless and secure digital experiences. Ping Identity and ForgeRock have joined forces to deliver more complete identity solution for our customers and partners.

Prerequisites

You must have the following:

• PingOne Advanced Identity Cloud version 14761.0 or above
• BeyondTrust Password Safe version 24.1.1.268 or above

Capabilities

With this integration, you can access the following capabilities:

• account discovery
• group discovery
• account creation
• add/remove group for account
• enable/disable account
• delete account
• update account

Configure BeyondInsight/Password Safe for PingOne Advanced Identity Cloud

1. Sign in to BeyondInsight/Password Safe.
2. From the left menu, navigate to the User Management > Group: SCIM Service Accounts page.
3. In the Group Details section, click Features.
   The Features page displays.
4. Change the access to Full Control for the following features:
   • Management Console Access
   • Options - Connectors
   • Password Safe Account Management
   • Password SafeRole Management
   • Smart Rule Management - Managed Account
   • User Accounts Management
5. In the Group Details section, click Smart Groups.
   The Smart Groups Permissions page displays.
6. For each Managed Account Smart Group, add Read Only permission.
   Note:
   • This is a manual step required each time you create a new Managed Account Smart Group.
   • Only Managed Account Smart Groups with the Managed Account category are visible via SCIM. Platform and Custom categories are not visible.
   • Permissions to the Managed Account Smart Group are not necessary for PingOne Advanced Security Cloud in this version but may be necessary in future versions for expanded visibility.
7. In the Group Details section, click Users.
   The Users page displays.
8. Assign a user to the Managed Smart Group:
   1. From the Show list, select Users not assigned.
   2. Optionally, filter the list of users by Type, Username, Name, Email, and/or Domain.
   3. Select the user you wish to add to the group.
   4. Click Assign User.
      The user is assigned to the group.
9. Sign out of BeyondInsight/Password Safe.
10. Sign back into BeyondInsight/Password Safe as the Service Account.
11. From the left menu, navigate to the General > Connector page.
12. Select SCIM Listener from the Connect Name drop-down list.
13. Click Recycle Client Server.
14. Make a note of the Client ID and Secret.
    Client Credentials are the preferred method for initial testing. Refresh Token is preferred for production.

Your Password Safe Connector is now configured for PingOne Advanced Identity Cloud.

Configure PingOne Advanced Identity Cloud for BeyondInsight/Password Safe

1. Sign in to PingOne Advanced Identity Cloud.
2. Navigate to Application > Browse App Catalog.
3. Enter BeyondTrust in the search bar.
4. Select the BeyondTrust app.
5. Click Next.
6. Enter a Name, Description, and the Owners for the application.
7. Configure the Endpoints for your Password Safe instance.
   1. SCIM Endpoint: /scim/v2
   2. Token Endpoint: /scim/oauth/token
8. Enter the Connection Settings using the Client ID and Secret generated during the Configure BeyondInsight/Password Safe for PingOne Advanced Identity Cloud process.
9. Navigate to the Provisioning page.
10. Under the BeyondTrust logo, select User.
11. In the left menu, click Properties.
12. Move Password and _NAME_ to the top of the list.
13. In the left menu, click Reconciliation > Reconcile.
14. Click Reconcile Now.
15. Under the BeyondTrust logo, select Group.
16. In the left menu, click Reconciliation.
17. Click Reconcile Now.
18. At the top of the page, click Users & Roles.
    A list of your Password Safe users displays.

Within PingOne Advanced Identity Cloud, you can now view and modify your Group Memberships and attributes, as well as provision new Password Safe accounts for existing users (use the Add Member button).