HYPR

How is this integration useful?

BeyondTrust Endpoint Privilege Management allows privilege escalation on Windows desktops. For example, if a policy is configured to require escalation to run Windows cmd.exe, then the BeyondTrust client prompts for multi-factor authentication. Authentication with (for example) HYPR is initiated by the end user when they click a link that reads Authenticate with Your Identity Provider.

⚠️

Important

Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit https://www.hypr.com/support or https://www.keycloak.org.

Workflow user example of authenticating with HYPR

1. User attempts to run cmd.exe as an administrator.
2. BeyondTrust makes a request to confirm elevation.
3. The user is authenticated via HYPR.
4. HYPR prompts the user to continue on the HYPR Mobile App.

Install the EPM for Windows client on Windows Desktop

1. In EPM for Windows and Mac, from the left menu, click Configuration > Privilege Management Installation.
2. Download the installers.

Configure your OIDC in EPM for Windows and Mac

For instructions, see Configure multi-factor authentication.

Configure your HYPR/Keycloak identity provider

1. Login to the Keycloak admin page and select the BeyondTrust realm in the drop-down.

2. Click Clients in the left navigation menu. The main pane defaults to the Clients list tab.

3. Click Create client. The Create client dialog opens.

4. Client creation progress is outlined on the left of the client properties. Fill in the fields as described in the following tables:

   • General settings fields

     Field	Value
     Client type	OpenID Connect
     Client ID	BeyondTrustPMC
     Name	BeyondTrust Privilege Management
     Description	An optional field for descriptive text.
     Always display in UI	Off

   • Capability config settings

     Field	Value
     Client authentication	Off
     Authorization	Off
     Authentication flow: Standard flow	On
     Authentication flow: Direct access grants	On
     Always display in UI	Off
     Authentication flow: Implicit flow	On
     Authentication flow: Service accounts roles	Off
     Authentication flow: OAuth 2.0 Device Authorization Grant	On
     Authentication flow: OIDC CIBA Grant	Off

   • Login settings

     Login Settings	Value
     Root URL	https://bt-int.gethypr.com
     Home URL	(Leave blank.)
     Valid redirect URIs	(Leave blank.)
     Valid post logout redirect URIs	(Leave blank.)
     Web origins	(Leave blank.)

Configure client settings

1. Login to the Keycloak admin page and select the BeyondTrust realm in the drop-down.
2. Click Clients in the left navigation menu.
   A list of clients populates the main pane.
3. Select the client you just created.
   This example uses https://bt-int.gethypr.com.
4. A set of tabs displays for the client properties:

• Settings

  General

  Field	Value
  Client ID	BeyondTrustPMC
  Name	The name defined at creation. (BeyondTrustPMC]
  Description	An optional field for additional information.
  Always display in UI	On

  Access Settings

  Field	Value
  Root URL	https://bt-int.gethypr.com
  Home URL	(Leave blank.)
  Valid redirect URIs	-
  Valid post logout redirect URIs	-
  Web origins	-
  Admin URL	https://bt-int.gethypr.com

  Capabilities Config

  Field	Value
  Client authentication	Off
  Authorization	Off
  Authentication flow: Standard flow	On
  Authentication flow: Direct access grants	On
  Authentication flow: Implicit flow	On
  Authentication flow: Service accounts roles	Off
  Authentication flow: OAuth 2.0 Device Authorization Grant	On
  Authentication flow: OIDC CIBA Grant	Off

  Login Settings

  Field	Value
  Login theme	Choose… (Leave unchosen.)
  Consent required	Off
  Display client on screen	Off
  Client consent screen text	(Leave blank.)

  Logout Settings

  Field	Value
  Front channel logout	On
  Front-channel logout URL	(Leave blank.)
  Backchannel logout URL	(Leave blank.)
  Backchannel logout session required	On
  Backchannel logout revoke offline sessions	Off

• Keys

  No configuration changes are needed in this section.
• Credentials

  No configuration changes are needed in this section.
• Roles

  No configuration changes are needed in this section.
• Client scopes

  No configuration changes are needed in this section.
• Sessions

  No configuration changes are needed in this section.
• Advanced

  Advanced Settings

  Field	Value
  Access Token Lifespan	Inherit from realm settings / 5 Minutes
  Client Token Idle	Inherit from realm settings / 0 Minutes
  Client Token Max	Inherit from realm settings / 0 Minutes
  Client Offline Token Idle	Inherit from realm settings / 30 Days
  Client Offline Token Max	Inherit from realm settings / 60 Days
  OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled	Off
  Proof Key for Code Exchange Code Challenge Method	S256
  Pushed authorization request required	Off
  ACR to LoA Mapping	[Default; do not add a mapping.]
  Default ACR Values	[Leave blank; do not add values.]

  Authentication Flow Overrides

  Field	Value
  Browser Flow	HYPR
  Direct Grant Flow	HYPR

5. Click Save.