Documentation

Set up EPM for Windows and Mac on Pathfinder

Suggest Edits

Prerequisites

  • You must be an EPM WM Administrator in the EPM WM for Pathfinder application to modify user settings.

    Set up an Administrator in EPM-WM on Pathfinder

    1. As a Pathfinder admin, sign into app.beyondtrust.io.
      The BeyondTrust Home page displays.

    2. Click Menu icon > Endpoint Privilege Management for Windows and Mac > User Management.
      The User Management page displays

    3. Create your Administrator.

1. Set up your IDP settings

  1. Create your group claims in your IDP

    If your organization is configured to authenticate with a SAML Identity Provider, user groups can be passed. Pathfinder applications can retrieve user groups information from the Identity Provider to use in the applications.

    For information on setting up the identity provider, see their respective documentation:

  1. Configure your default access rules in Pathfinder

    As an administrator, set up default access rules for your users. When logging on for the first time, users can immediately access the site and application needed for their work function.
    Default access must be configured before setting up an IdP.

    🛑

    Default access rules apply to all IdPs configured in your organization.

    To configure default access rules:

    1. Sign into app.beyondtrust.io.
      The BeyondTrust Home page displays.
    2. At the top right of the page, click your site name to display a drop-down menu.
    3. Select Administration.
      The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
    4. Go to Administration > Identity & Authentication Providers.
    5. Expand the default access rules.
    6. Select a role from the list: Standard User or Administrator.
      Standard users cannot access administration features.
    7. Select one or more sites and the applications in a site your users must access.
    8. Click Save Changes.
  1. Add your IdP to Pathfinder.

    To register an identity provider, it must be created in BeyondTrust Pathfinder.

    1. Sign into app.beyondtrust.io.
      The BeyondTrust Home page displays.
    2. At the top right of the page, click your site name to display a drop-down menu.
    3. Select Administration.
      The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
    4. Provide the following information in the Add Identity Provider panel:
      • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., Microsoft Entra ID).
      • Binding Type: Select Post from the dropdown.
      • Domain Name: Your organization’s email domain (e.g., example.com).
        The Domain Name field is an important part of the SAML authentication process. When a user logs on, the domain specified by the user is validated against the value in this field. If the domains align, the SAML authentication process is initiated. If they do not match, local authentication takes place, bypassing SAML.
      • Service Provider Entity ID: Pathfinder's URL (app.beyondtrust.io).

    ℹ️

    Note:

    Ensure that the Service Provider Entity ID matches the Identifier (Entity ID) configured in your Azure application.

  1. In your IDP, provide your Pathfinder credentials. Follow your IDP-specific procedure:

  2. In Pathfinder, update the SSO URL.

    The application now generates a unique single sign-on URL to use with Microsoft Azure. To provide this URL to Microsoft Azure, follow the below steps:

    1. In the Identity & Authentication Providers dashboard, click Actions to the right of your newly configured identity provider and select Edit Provider.

    2. Copy the SAML Single Sign-On URL.

      📘

      Note

      The field, SAML Single Sign-On URL, only displays after the initial save of the identity provider. The value in the field is an auto-generated URL and is used as the Redirect URL or Reply URL for your SAML application.

    3. In your Azure app configuration (in Azure, search for Enterprise applications, and click your new BeyondTrust app), select Edit under Basic SAML Configuration.

      Reply URL: Remove your placeholder single sign-on URL value, and paste the value generated by BeyondTrust Pathfinder.

    4. Click Save.

Your Pathfinder IDP set is complete.

2. Invite users

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.

  2. At the top right of the page, click your site name to display a drop-down menu.

  3. Select Administration.
    The BeyondTrust Platform Administration page displays.

  4. From the top left of the page, click Menu button > Administration > User Management.
    The Organization Users page displays.

  5. Click Invite User.
    The Invite User page displays.

  6. In User Details section, enter an Email Address, First Name, and Last Name. All fields are required.

  7. In the User Permissions section, for Organization Role, select either Standard User or Administrator.

  8. For Site Access, select the sites and at least one application to grant user access to.

  9. Click Invite User.
    The user receives an email with a link to create a new password, then access the selected site(s) and application(s).

3. Optionally, create local Pathfinder users.

Use this method if you are not provisioning users through your SAML IDP.

You must be an administrator to access user management features.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. At the top right of the page, click your site name to display a drop-down menu.
  3. Select Administration.
    The BeyondTrust Platform Administration page displays.
  4. From the top left of the page, click Menu button > Administration > User Management.
    The Organization Users page displays.
  5. Click Invite User.
    The Invite User page displays.
  6. In the User Permissions section, for Organization Role, select either Standard User or Administrator.
  7. For Site Access, select the sites and at least one application to grant user access to.
  8. Optionally, select specific sites and associated applications for the user to access.
  9. Click Invite User.
    The user receives an email with a link to create a new password, then access the selected site(s) and application(s).

Updated 18 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.