Documentation

Import metadata to configure IdP

Suggest Edits

Use the import metadata feature to import metadata directly from your IdP (via an exported file), streamlining the setup process and reducing the potential for errors.

🚧

Important information

  • Creating the initial setup without adding a domain (domainless IdP) provides a way to test the configuration using a local account. After successful testing, add the domain to the Pathfinder IdP configuration page to enforce SAML authentication with your organization's email domain.
  • Local login provides a way to test and troubleshoot configuration when there is a domainless IdP.
  • Local login is not available if there is more than one domainless IdP. A lockout might occur when testing in this scenario.

Microsoft Entra ID

Log on to Pathfinder and Microsoft Entra ID. Work through the configuration with the applications open side-by-side.

  1. Create an application in Entra ID.

    1. Enter a name for the app and use the default settings.
    2. Entra ID displays Getting Started steps.
    3. Assign users and groups. This configuration is different for every customer.
    4. Go to Single Sign on and select SAML.
    5. For now, enter ACS URL as https://placeholder.com and Entity ID as https://placeholder.com (these are temporary; you’ll update these settings later).
    6. Click the Federation Metadata XML link to download the file.

  2. Create an IdP for Entra ID in Pathfinder.

    1. Select Administration.
      The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
    2. Go to Administration > Identity & Authentication Providers.
    3. Click Add Identity Provider.
    4. Add a name for the provider.
    5. Click the box to upload the metadata file downloaded from Entra ID. This imports the configuration needed to set up Entra ID as your IdP. By default, the import tool sets the ACS URL and Service Provider Entity ID to the same value when you import.
    1. Click Add Identity Provider.
      The SAML Configuration dialog box displays.
    2. Click Copy to Clipboard.

  1. Go back to Entra ID.

    1. Replace the placeholder values for ACS URL and Entity ID. Completing this step establishes the link between the Service Provider and the IdP for SAML.

  2. Test and finalize configuration.

    1. In Pathfinder, edit the Identity provider settings, leave the Domain Name box blank to test without email service domain binding.
    2. Log on to Pathfinder via Entra ID. Pathfinder detects a domainless IdP.
    3. Select Entra ID and click Next.
    4. After successful login, update the domain setting in Pathfinder to the actual email domain.
    5. Click Save Changes.
    6. Log on again after adding the domain name to ensure you can successfully log on to Pathfinder via Entra ID.

Okta

Log on to Pathfinder and Okta. Work through the configuration with the applications open side-by-side.

  1. Create a SAML application in Okta.

    1. In the Admin Console, select Applications > Create App Integration.
    2. Select SAML 2.0.
    3. Configure general settings.
    4. For now, enter ACS URL as https://placeholder.com and Entity ID as https://placeholder.com (these are temporary; you’ll update these settings later).
    5. Select EmailAddress as the Name ID format.
    6. Expand Advanced Settings.
    7. Set Honor Force Authentication to Yes.
    8. For App type, select This is an internal app that we have created.
    9. Click Finish.
    10. Click View SAML setup instructions.
    11. Scroll to the IDP metadata and save the text as an XML file.

  2. Create an IdP for Okta in Pathfinder.

    1. Select Administration.
      The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
    2. Go to Administration > Identity & Authentication Providers.
    3. Click Add Identity Provider.
    4. Add a name for the provider.
    5. Click the box to upload the metadata file downloaded from Okta. This imports the configuration needed to set up Okta as your IdP.
    6. Click Add Identity Provider.
      The SAML Configuration dialog box displays.
    7. Click Copy to Clipboard.

  3. Go back to Okta SAML config.

    1. Go to SAML Settings and click Edit.
    2. Click Configure SAML.
    3. Replace the placeholder values for ACS URL and Entity ID. Completing this step establishes the link between the Service Provider and the IdP for SAML. Copy the metadata from Pathfinder to the Single sign-on URL and the Audience URI (Entity ID) fields.

  4. Test and finalize configuration.

    1. In the Identity provider settings, leave the Domain Name box blank to test without email service domain binding.
    2. Log on to Pathfinder via Okta. Pathfinder detects a domainless IdP.
    3. Select Okta and click Next.
    1. After successful login, update the domain setting in Pathfinder to the actual email domain.
    2. Click Save Changes.
    3. Log on again after adding the domain name to ensure you can successfully log on to Pathfinder via Okta.

PingOne

Log on to Pathfinder and PingOne. Work through the configuration with the applications open side-by-side.

  1. Create a SAML application in PingOne.

    1. Log in to your PingOne Admin Console as administrator.
    2. Navigate to Applications > Applications, then click + Add Application and select SAML application.
    3. Select Manually enter SAML configuration.
    4. For now, enter ACS URL as https://placeholder.com and Entity ID as https://placeholder.com (these are temporary; you’ll update these settings later).
    5. Click Save, then toggle the application to enabled.
    6. Download the metadata file. This file contains the temporary ACS URL and Entity ID values.

  2. Create an IdP for PingOne in Pathfinder.

    1. Select Administration.
      The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
    2. Go to Administration > Identity & Authentication Providers.
    3. Click Add Identity Provider.
    4. Add a name for the provider.
    5. Click the box to upload the metadata file downloaded from PingOne. This imports the configuration needed to set up Ping as your IdP. By default, the import tool sets the ACS URL and Service Provider Entity ID to the same value when you import.
    1. Click Add Identity Provider.
      The SAML Configuration dialog box displays.
    1. Click Copy to Clipboard.

  3. Go back to PingOne.

    1. Replace the placeholder values for ACS URL and Entity ID. Completing this step establishes the link between the Service Provider and the IdP for SAML.
    2. Set attribute mapping:
      1. saml_subject maps to Username
      2. username maps to Username
    3. Save mappings and finish setup.

  4. Test and finalize configuration.

    1. In the Identity provider settings, leave the Domain Name box blank to test without email service domain binding.
    1. Log on to Pathfinder via PingOne. Pathfinder detects a domainless IdP.
    2. Select PingOne and click Next.
    1. After successful login, update the domain setting in Pathfinder to the actual email domain.
    2. Click Save Changes.
    3. Log on again after adding the domain name to ensure you can successfully log on to Pathfinder via PingOne.

Updated 11 days ago

Β©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.