DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Authentication provider settings

Suggest Edits

EPM supports OpenID Connect authentication. You can change your authentication provider from the default AzureB2B to OpenID Connect, or update your OpenID Connect settings, without having to contact Support.

You must first set up an EPM instance in your OpenID Connect provider. Steps are provided in the section below.

Configure an authentication provider

When you start from the default configuration, use this procedure to set up the configuration.

⚠️

Important

If you choose to configure OpenID Connect, you cannot revert to the default settings.

To set up an OpenID Connect provider:

  1. Select the Configuration menu, and then click Authentication Provider Settings.
  2. Click Enable OpenID Configuration. After you have completed and saved the OpenID configuration, this switch no longer appears on this page.
  3. Enter information for the following:
    • Provider URL: Domain for the authentication. Currently supports Microsoft, Okta, Google, and Ping Identity.
    • Client ID: The client ID.
    • Client Secret: Secret key.
  4. Check the box. We recommend reviewing the settings you configured. You can potentially lock yourself out of the system if the settings are incorrect. The Save Changes button is only available after you check the box.
  5. Click Save Changes.

⚠️

Important

You will be logged out of the EPM console. Once logged out, you need to log back in within 15 minutes, because there is a timer on the page. If you do not log in before the timer expires, the authentication provider settings revert to the previous settings and the new settings are not saved.

If you log on before the timer expires, the newly added authentication provider settings are retained.

EPM OpenID Connect workflow for new customers

Here is the workflow to get up and running with EPM using OpenID Connect authentication.

  • You will receive an email from BeyondTrust after the request is processed.
  • In the email, click the link to open the BeyondTrust OpenID Setup page.
  • Enter the OpenID Connect information: domain, client ID, and client secret. Click Save Setup. The OpenID credentials are saved.
  • The Endpoint Privilege Management login page opens. Click Log In.
  • EPM opens to the Home page.

Add EPM to OpenID Connect provider

EPM supports Microsoft Entra ID, Okta OpenID, Google Identity, and Ping Identity Connect providers. The following sections provide a high-level overview on adding the EPM instance to your respective authentication provider. For complete instructions, refer to the provider's documentation.

ℹ️

Note

The migration to OIDC will work when the email address sent from Okta or Entra ID matches for existing users. If email addresses are different or the domain name is not on the list of allowed domains in EPM, then the authentications will fail.

Add EPM instance to Google Identity

For step-by-step instructions on configuring Google Identity as your OpenID Connect provider, visit OpenID Connect.

After that configuration is complete, go to Configure an authentication provider.

Add EPM instance to Microsoft Entra ID tenant

  1. Log into your Microsoft Entra ID (formerly Azure AD) tenant.
  2. In the menu, click App Registrations.
  3. Click New Registration.
  4. Enter a Name.
  5. Under Supported account types, select Accounts in this org directory only.
  6. Enter the Redirect URI. While providing this now is optional and can be changed later, a value is required for most authentication scenarios.
  7. Click Register.
  8. After EPM registers, select Authentication in the menu.
  9. Add the following to the Redirect URIs:https://<deployment>-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc where deployment is the name of your EPM tenant.
  10. Go to Manage > API Permission, and then select Grant admin consent.
  11. Select Certificates & secrets in the menu.
  12. Click New client secret, and copy the value. The value is visible until you leave the web page. When generating a new secret, you must select an expiry for the secret. We recommend selecting Recommended: 6 months
    After you add EPM to Microsoft Entra ID, you can get the information you need to set up the OpenID Connect authentication. The EPM OpenID connect setup wizard requires these values: OpenID Domain, OpenID Client ID, and Open ID Client Secret.
    Make note of these values before proceeding to step 13.
  13. On the app registration Overview page, copy the client ID and the tenant ID.
    • OpenID Domain: https://login.microsoftonline.com/Directory (tenant) ID. The directory or tenant ID uses the format 31b8dbb9-fb8b-437a-8920-f23c8e0188b1.
    • OpenID Client ID: Application (client) ID.
    • OpenID Client Secret: Client secret value.

Add EPM instance to Okta

Supported features

The Endpoint Privilege Management for Windows and Mac (also called EPM) - Okta integration allows logging into EPM platform using SP-initiated SSO flow.

Configure the integration

  1. Access your Okta instance.

  2. Navigate to Applications, and then click the Browse App Catalog button.

  3. Search for an app called BeyondTrustPrivilege Management Cloud - Windows and Mac.

  4. Click Add Integration.

  5. Click Done.

  6. While in the new application, navigate to Sign On, and then click Edit.

  7. Navigate to the Advanced Sign-on Settings and provide the Base Service URL which follows the format https://{deployment}-services.pm.beyondtrustcloud.com. (deployment is the name of your EPM tenant.) Click Save.

  8. After you add the EPM App to Okta, you can get the information you need to set up the OpenID Connect authentication.

  9. You must get the following information from the Edit page:

ℹ️

Note

Confirm the domain name configured in Okta. This domain name might be different than the domain configured for your email address. For example, while the domain managed in Okta might be domain.com, the email address might be [email protected]. Both pieces of information are required.

  1. Log in to your EPM instance to complete the configuration. Navigate to Configuration and then Authentication Provider Settings.
  2. Select Okta for the OpenID Connect Provider.
  3. Provide the domain or issuer URL, client ID, and client secret.
  4. Save and test the configuration.

Add EPM instance to Ping Identity

ℹ️

Note

We currently support PingOne, the SaaS service from Ping Identity.

  1. Start up your Ping Identity instance.

  2. In the menu, click Connections, and then click Applications.

  3. At the right of the Applications title, click the plus sign (+) to add an application.

  4. Enter a name for the application (required), and then add a short description (optional).

  5. Select OIDC Web App and click Save.

  6. Click the Configuration tab.

  7. To edit the configuration, click the pencil/edit icon.

  8. Under Redirect URLs, click + Add, and then add the sign-in and sign-out URLs. If you are modifying an existing instance, you might need to open the General section dropdown first.

    • Sign-in redirect URL:https://{deployment}-services.pm.beyondtrustcloud.com/oauth/signin-oidc
    • Sign-out redirect URL:https://{deployment}-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc

    where deployment is the name of your EPM tenant.

  9. Under Token Endpoint Authentication Method, select Client Secret Post, and then click Save.

  10. Click the Resources tab.

  11. To edit the resource, click the pencil/edit icon.

  12. In the Scopes list, click the + next to profile openID to add it to the Allowed Scopes. You can also filter the list of options by OpenID to access this option.

  13. Click Save.

  14. To close the panel, at the top right of the Edit panel, click the X.

  15. At the right of the new application entry, toggle the switch to on to give access to users.

  16. Click the Configuration tab again. For the EPM OpenID Connect set-up wizard, you need to copy the following information from the Configuration page:

    • Issuer: Prefix the protocol HTTPS://
    • Client ID
    • Client Secret

Change authentication provider

After you set up an OpenID Connect provider (Microsoft, Okta, or Ping Identity), you might need to switch to another one at some point.

To change your existing OpenID Connect settings:

  1. Click the Configuration menu, and then select Authentication Provider Settings.
  2. Click Change OpenID Connect Provider.
  3. Select a different provider, and then enter the Provider URL (or Issuer), Client ID, and Client Secret information.
  4. Review your settings, and then check the verification box.
  5. Click Save Changes.

⚠️

Important

You will be logged out of the EPM console. Once logged out, you need to log back in within 15 minutes, because there is a timer on the page. If you do not log in before the timer expires, the authentication provider settings revert to the previous settings and the new settings are not saved.

If you log on before the timer expires, the newly added authentication provider settings are retained.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.