Pathfinder 26.2

Pathfinder now supports SCIM 2.0, so your identity provider can automatically manage users and groups across your BeyondTrust environment. When you add, update, deactivate, or change group membership in Okta, Microsoft Entra ID, SailPoint, or another SCIM-compatible provider, those changes flow through to Password Safe and Endpoint Privilege Management automatically; no manual syncing required.

Event routing supports multi-region and multi-tenant deployments. New tenant subscriptions are provisioned automatically at onboarding time.

ℹ️

For more information, see SCIM provisioning.

External services can now authenticate into Pathfinder without managing Pathfinder-specific credentials. Services present an OIDC access token from a trusted issuer which Pathfinder exchanges for an internal token at the edge. All downstream services are configured against a single consistent issuer. Existing personal access token (PAT) and internal JWT authentication flows are unaffected.

Trusted issuers include SailPoint, Okta, Microsoft Entra, and GitHub Actions.

Directory authentication allows Pathfinder users to sign in with credentials managed in an external directory service, such as Active Directory or another LDAP-compatible directory, instead of local Pathfinder accounts or SAML-based SSO.

Pathfinder does not connect to a directory service directly. Instead, it routes authentication requests through a BeyondTrust product already integrated with your directory: Password Safe, Privileged Remote Access, or Secure Remote Access. Pathfinder uses that product's connection, referred to as a proxy site, to authenticate users.

ℹ️

For more information, see Directory authentication.

Pathfinder now stores user PII (first name, last name, and email address) in the region where your organization is deployed, across all platform-supported deployment regions. This supports data residency requirements for customers in regulated regions.