DocumentationRelease Notes
Log In
Documentation

SAML using Entra ID App

Suggest Edits

Entra ID, part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against a wide range of cyber security attacks.

A BeyondTrust app, available in Entra ID App Gallery, provides Single Sign-On and provisioning via SAML 2.0. This app supports Remote Support and public portals, Privileged Remote Access, Password Safe, and Password Safe Cloud.

Install and Configure Entra ID App

Follow the steps below to install and configure this app.

  1. Locate the BeyondTrust SAML app in the Microsoft Entra ID Gallery.
  2. Change the name to your preferred descriptive name, for example, BeyondTrust SAML – Password Safe. Some screenshots below use BeyondTrustPrivileged Remote Access for examples, however, the process is the same for Password Safe.

ℹ️

Note

While a single instance of the app can service multiple BeyondTrust products simultaneously, we recommend creating a separate app instance for Password Safe, if you are using that product.

  1. Click Create.
  2. Information about the BeyondTrust SAML app displays when creation is completed.
  3. Click Set up single sign-on under Getting Started.
  4. Configure Basic SAML Configuration to match your Password Safe instance. The Entity IDs are specific to the instances for each product.
  5. Change the Unique Identifier (Name ID) to the Persistent format.
  6. Click Edit on the Attributes & Claims section:
    Click Add a group claim.
     Select Groups assigned to the application.
    Leave Source attribute as the default of Group ID.
     Check Customize the name of the group claim and enter Groups for the Name.
    Click Save.
     Ensure the Source and Value for each claim is configured as indicated in the below table.
SourceValue
FirstName (Optional)user.givenname
LastName (Optional)user.surname
Name (Required)user.principalname
Email (Optional)user.mail
Groups (Required)user.groups

ℹ️

Note

The group claim must be configured to use only groups assigned to the application. This prevents errors that may occur if a user belongs to more than 150 AD groups. For more information, see Configure group claims for applications by using Entra ID.

  1. Click Edit on the SAML certificates section.
  2. For Signing Option, select Sign SAML response and assertion.
  3. Download the Federation Metadata XML.

Configure SAML Entra ID Provider

ℹ️

Note

To configure SAML in Azure GovCloud you must be assigned the Cloud Application Administrator role.

Once the app has been configured, follow these steps to add the provider in BeyondInsight:

  1. From the left sidebar, click Configuration
  2. Under Authentication Management, click SAML Configuration.
  3. Click Create New SAML Identity Provider +.
  4. Paste the Identifier and Sign-On URL from the Entra ID app.
  5. Ensure Want SAML Response Signed and Want Assertion Signed match the Entra ID App selections.
  6. Select the Signature Method.
  7. Upload the certificate, using the certificate downloaded from the Entra ID App.
  8. Select Microsoft Entra ID for User Mapping.
  9. Click Create SAML Identity Provider.

Should you need any assistance, log into the Customer Portal to chat with Support.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.