Documentation

Identity providers

Suggest Edits

BeyondTrust Pathfinder supports connecting to your third-party single sign-on applications. Configuring an identity provider allows members of your organization secure and authorized access to BeyondTrust applications, allowing you to centrally manage accounts, passwords, and identity verification in a manner familiar to both your users and security team.

BeyondTrust Pathfinder currently supports the following identity providers using SAML:

  • Microsoft Entra ID
  • Okta
  • PingOne

ℹ️

Note

You must have your identity provider dashboard and BeyondTrust Pathfinder open simultaneously to complete setup.

JIT default access

As an administrator, set up Just-in-time (JIT) default access rules for your users. When logging on for the first time, users can immediately access the site or application needed for their work function.

Just-in-time (JIT) default access must be configured before setting up an IdP.

❗️

JIT default access applies to all IDPs configured in the organization.

To configure JIT default access:

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. At the top right of the page, click your site name to display a drop-down menu.
  3. Select Administration.
    The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
  4. Go to Administration > Identity & Authentication Providers.
  5. Expand the default access rules.
  6. Check the box for the access to provide to users.
  7. Click Save Changes.

Microsoft Entra ID

Create application in Microsoft Entra ID

To begin adding Microsoft Entra ID as an identity provider, you must create a new application in Microsoft Azure.

  1. Open Azure and ensure you are logged in as an administrator.
  2. Use the search box to search for Microsoft Entra ID and select it from the results.
  3. Select Enterprise applications from the main menu or search.
  4. Select New application, then Create your own application.
  5. In the Create your own application panel, provide a human-readable name (e.g., Identity Security Insights), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
  6. You are redirected to the overview page for your new application. From this page, select Set up single sign-on under Manage.
  7. Choose SAML and then Basic SAML Configuration:
    1. Click Edit and configure:
      • Identifier (Entity ID): The URL of your Insights app (example: app.beyondtrust.io).
      • Reply URL: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by BeyondTrust Pathfinder in a later step.
  8. Click Save.

Add identity provider

To register an identity provider, it must be created in BeyondTrust Pathfinder.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. At the top right of the page, click your site name to display a drop-down menu.
  3. Select Administration.
    The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
  4. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., Microsoft Entra ID).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: The URL of your BeyondTrust app (e.g., example.io).

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Identifier (Entity ID) configured in your Azure application.

Provide Microsoft credentials

Once you create your Microsoft Azure application, Microsoft Azure generates several values required to complete setup.

  1. Within the dashboard, open your app configuration from Step 2, if it is not already open (search for Enterprise applications, and click your new app).
  2. Click Single sign-on for your new Insights app.
  3. Under SAML Certificates, click Download beside Federation Metadata XML.
  4. Open the XML file and provide the following values to the Add New Authentication Provider panel (opened in Step 1):
    • Copy the entityID from the top line of the document, and paste the value into the Identity Provider Entity ID field.
    • Copy the encoded certificate between the tags of the document, and paste the certificate into the tab labeled Certificate 1.
    • Close the XML document.
  5. In your Azure app configuration, under Set up for your application, copy the Login URL. On the Add Identity Provider panel, paste the Login URL value into the field labeled Identity Provider Sign-On URL.
  6. On the Add Identity Provider panel, click Add Identity Provider.

Update Azure single sign-on URL

The application now generates a unique single sign-on URL to use with Microsoft Azure. To provide this URL to Microsoft Azure, follow the below steps:

  1. In the Identity & Authentication Providers dashboard, click Actions to the right of your newly configured identity provider and select Edit Provider.

  2. Copy the SAML Single Sign-On URL.

  3. In your Azure app configuration (in Azure, search for Enterprise applications, and click your new BeyondTrust app), select Edit under Basic SAML Configuration.

    Reply URL: Remove your placeholder single sign-on URL value, and paste the value generated by BeyondTrust Pathfinder.

  4. Click Save.

Okta

Create application in Okta

To begin adding Okta as an identity provider, you must create a new application for your BeyondTrust app in Okta.

  1. Open your Okta tenant dashboard and ensure you are logged in as an administrator.
  2. Navigate to Applications > Applications and click Create App Integration.
  3. Select SAML 2.0 and click Next.
  4. Enter a human-readable app name, such as Identity Security Insights, and then click Next.
  5. In the Configure SAML step, provide the following information:
    • Single sign-on URL: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by BeyondTrust Pathfinder in a later step.
    • Audience URI: app.beyondtrust.io
    • Name ID Format: Select EmailAddress.
    • Application Username: Select Okta username.
  6. Click Next when complete.
  7. Select your customer type on the Feedback screen, and then click Finish.

Add identity provider in BeyondTrust Pathfinder

To register an identity provider, it must be created in BeyondTrust Pathfinder.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. At the top right of the page, click your site name to display a drop-down menu.
  3. Select Administration.
    The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
  4. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., Okta).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: Should be configured as app.beyondtrust.io.

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Audience URI configured in your Okta application. Which in this case is app.beyondtrust.io.

Provide Okta credentials

Once your Okta application is created, Okta generates several values required to complete setup.

  1. Within your Okta dashboard, navigate to Applications > Applications and select your new Insights app from the list.

  2. In the Sign On tab, click View SAML setup instructions on the right side.

  3. Okta displays a list of items required to finish configuration. The following items must be copied from the Okta dashboard and pasted into the BeyondTrust Pathfinder Add New Authentication Provider panel (opened in Step 1):

    • Paste the Okta Identity Provider Single Sign-On URL into the BeyondTrust Pathfinder Identity Provider Sign-On URL field.
    • Paste the Okta Identity Provider Issuer value into the BeyondTrust Pathfinder Identity Provider Entity ID field.
    • Within Okta, copy the certificate encoding between the text BEGIN CERTIFICATE and END CERTIFICATE, and paste the certificate into the BeyondTrust Pathfinder tab labeled Certificate 1.

  4. Within the BeyondTrust Pathfinder Add New Authentication Provider panel, click Save Settings.

Update Okta single sign-on URL

BeyondTrust Pathfinder now generates a unique single sign-on URL to use with Okta. To provide this URL to Okta, follow the below steps:

  1. Within the Identity & Authentication Providers page in the BeyondTrust Pathfinder dashboard, click Actions to the right of your newly configured identity provider and select Edit.

    Copy the SAML Single Sign-On URL.

  2. In your Okta dashboard, navigate to Applications > Applications and select your newly configured BeyondTrust app.

    • Under General > SAML Settings, click Edit.
    • In the General Settings tab, click Next.
    • In the Configure SAML tab, remove your placeholder single sign-on URL value, and paste the value generated by BeyondTrust Pathfinder.

  3. Click Next, and then click Finish to save your changes.

PingOne

Create application in PingOne

To begin adding PingOne as an identity provider, you must create a new application for BeyondTrust Pathfinder within PingOne.

  1. Open your PingOne console and ensure you are logged in as an administrator.
  2. Select the environment you would like to configure BeyondTrust Pathfinder for, and then navigate to Connections > Applications.
  3. Click the plus sign beside Applications to create a new application.
  4. In the Add Application panel, provide a human-readable name (e.g., Identity Security Insights), a useful description, and click Configure.
  5. In the following SAML Configuration page, under Provide Application Metadata, select Manually Enter and provide the following information:
    • ACS URLs: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by BeyondTrust Pathfinder in a later step.
    • Entity ID: A unique identifier for your IDP (e.g., ping).
  6. Click Save.

Add identity provider in BeyondTrust Pathfinder

To register an identity provider for use with BeyondTrust Pathfinder, it must be created in BeyondTrust Pathfinder.

  1. Sign into app.beyondtrust.io.
    The BeyondTrust Home page displays.
  2. At the top right of the page, click your site name to display a drop-down menu.
  3. Select Administration.
    The BeyondTrust Pathfinder Administration page opens and displays each available site as a tile.
  4. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., PingOne).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: The unique Entity ID assigned in the previous step.

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Entity ID configured in your Ping application.

Provide PingOne credentials

Once your PingOne application is created, PingOne generates several values required to complete setup.

  1. Within the PingOne dashboard, open your app configuration from Step 2 if it is not already open (navigate to Connections > Application and click your new BeyondTrust app), and then click the Overview tab.
  2. Copy the Single Signon Service URL. Within the BeyondTrust Pathfinder Add New Authentication Provider panel, paste the Single Signon Service URL value into the field labeled Identity Provider Sign-On URL.
  3. Copy the Issuer ID. Within the BeyondTrust Pathfinder Add New Authentication Provider panel, paste the Issuer ID value into the field labeled Identity Provider Entity ID.
  4. Click Download Signing Certificate and open the certificate file in a program such as Notepad++.
  5. Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste the value into the field labeled Certificate 1.
  6. Within the BeyondTrust Pathfinder Add New Authentication Provider panel, click Save Settings.

Update PingOne configuration

Update the ACS URL

BeyondTrust Pathfinder now generates a unique single sign-on URL to use with PingOne. To provide this URL to PingOne, follow the below steps:

  1. Within the Identity & Authentication Providers dashboard in BeyondTrust Pathfinder, click Actions to the right of your newly configured identity provider and select Edit.
  2. Copy the SAML Single Sign-On URL.
  3. In your PingOne application (in PingOne, navigate to Connections > Application and click your new BeyondTrust app), select Configuration.
  4. Click the pencil in the top right of the configuration menu and edit the following values:
    • ACS URL: Remove the placeholder value, and paste the SAML Single Sign-On URL generated by BeyondTrust Pathfinder.
  5. Click Save.

Update mapped attributes

  1. Click on Attribute Mappings.
  2. Click the pencil in the top right of the configuration menu and edit the following values:
    • saml_subject: Ensure this is set to Username.
    • userName: Ensure this is set to Username.
  3. Click Save.

Invite organization users

Once your identity provider is configured in BeyondTrust Pathfinder, invite users on the User Management page.

ℹ️

Note

For more information, see the Manage users guide.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.