DocumentationAPI ReferenceRelease Notes
Documentation

SAML single sign for Password Safe with Microsoft Entra ID | PS

Configure single sign-on (SSO) between BeyondTrust Password Safe and Microsoft Entra ID using SAML. With SSO, you sign in once to access Password Safe without entering separate credentials.

Configure provisioning and authentication

To import SAML accounts from Entra ID, first configure Directory Credentials.

To prepare Password Safe for group synchronization and SAML sign-in, complete the following steps:

  1. Create or identify a service account for your Entra ID environment.
  2. Create an app registration for the Password Safe application.
  3. Record the Application (client) ID and Directory (tenant) ID. You use these values later in Password Safe.
  4. In Certificates & secrets, create a client secret and save the secret Value.
  5. Add the required API permissions to the app registration.
  6. In Password Safe, store the client ID, tenant ID, and client secret in a Directory Credential object.
  7. Test the directory credentials, then create an Entra ID group in User Management.
  8. Use the directory credential to browse for and import the required Entra ID groups.
  9. When you add a user to an Entra ID group, Password Safe creates an account with the permissions assigned to that provisioning group.
  10. When you add a user to or removed from the group in Entra ID, Password Safe provisions or removes access accordingly.
  11. After the next scheduled or manual synchronization, Password Safe also removes those users from the Password Safe group.
  12. The user account remains in Password Safe, but the removed user can no longer sign in or start a Password Safe session.
ℹ️

Group memberships are synchronized each time the user signs in. If a user is removed from all groups, they can no longer sign in to Password Safe.

Overview

You can set up SSO in one of two ways:

  • Path 1: Create and manage a dedicated non-gallery enterprise application in Entra ID.
  • Path 2: Use the prebuilt BeyondTrust SAML app from the Microsoft Entra App Gallery.
ℹ️

Choose one path and complete it fully.

Path 1: Configure a custom enterprise application for Password Safe

Prerequisites

Before you begin, make sure you have the following:

  • Permissions to create enterprise applications, app registrations, and client secrets in Entra ID.
  • A Password Safe administrator account.

Create a non-gallery enterprise application

  1. In Enterprise applications, create a new application and select Create your own application.
  2. Enter a name for the application, then select the Non-gallery option.
  3. After you create the application, open Properties and optionally assign a logo.
  4. Configure the basic SAML settings so they match your Password Safe instance. The entity IDs are specific to each BeyondTrust product instance.

Path 2: Use the BeyondTrust SAML App from the Entra App Gallery

Add and configure the gallery app

  1. Find the BeyondTrust SAML app in the Microsoft Entra App Gallery.
  2. Rename the app to something descriptive, such as BeyondTrust SAML – Password Safe.
ℹ️

A single app instance can serve multiple BeyondTrust products, but for Password Safe it is best to create a separate app instance.

  1. Click Create.
  2. When Entra ID creates the app, review the app details page.
  3. Under Getting Started, select Set up single sign-on.

Common Entra ID configuration

  1. Configure the basic SAML settings so they match your Password Safe instance. The entity IDs are specific to each BeyondTrust product instance.

  2. Set the Unique Identifier (Name ID) format to Persistent.

  3. In Attributes & Claims, select Edit and configure the group claim:

    • Choose Add a group claim.
    • Select Groups assigned to the application.
    • Leave Source attribute set to the default value, Group ID.
    • Select Customize the name of the group claim and enter Groups as the claim name.
    • Click Save.

  4. Verify that each claim matches the values in the following table:

SourceValue
FirstName (Optional)user.givenname
LastName (Optional)user.surname
Name (Required)user.userprincipalname
Email (Optional)user.mail
Groups (Required)user.group
🚧

Important information

Configure the group claim to include only groups you assign to the application. This helps avoid errors when a user belongs to more than 150 groups.

  1. In SAML Certificates, select Edit.
  2. For Signing Option, select Sign SAML response and assertion.
  3. Download the Federation Metadata XML file.

Configure BeyondInsight

🚧

Important information

For Azure GovCloud, you must have the Cloud Application Administrator role to configure SAML.

After you configure the gallery app in Entra ID, complete these steps in BeyondInsight:

  1. In the left navigation, select Configuration.
  2. Under Authentication Management, select SAML Configuration.
  3. Select Create New SAML Identity Provider +.
  4. Paste the Identifier and Sign-On URL from the Entra ID application.
  5. Make sure Want SAML Response Signed and Want Assertion Signed match the settings in the Entra ID application.
  6. Select the required Signature Method.
  7. Upload the certificate you downloaded from the Entra ID application.
  8. Set User Mapping to Microsoft Entra ID.
  9. Click Create SAML Identity Provider.
🚧

Important information

You cannot save the SAML configuration with User Mapping set to Entra ID until you add the required Entra ID groups to BeyondInsight. Add the required Entra ID groups first, then return to the SAML configuration and save it again.

Test the SSO

Use a test user account to verify that SSO is working correctly.

  1. Sign in as a test user and open Enterprise applications.
  2. Select Test sign in to open Password Safe in a new browser tab and send the SAML assertion.
  3. Confirm that Password Safe successfully authenticates the test user.

Configuration is complete when provisioning and SSO both work between Entra ID and Password Safe.

Updated about 2 hours ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.