Documentation

Identity providers

Suggest Edits

Add an identity provider (IdP)

Identity Security Insights supports connecting to your third-party single sign-on applications. Configuring an identity provider allows members of your organization secure and authorized access to Insights, allowing you to centrally manage accounts, passwords, and identity verification in a manner familiar to both your users and security team.

Insights currently supports the following identity providers using SAML:

  • Microsoft Entra ID
  • Okta
  • PingOne

ℹ️

Note

You must have your identity provider dashboard and Identity Security Insights open simultaneously to complete setup.

Microsoft Entra ID

Create application in Microsoft Entra ID

To begin adding Microsoft Entra ID as an identity provider, you must create a new application for Identity Security Insights within Microsoft Azure.

  1. Open Azure and ensure you are logged in as an administrator.
  2. Go to Microsoft Entra ID in Azure -- use words from connector page.
  3. Select Enterprise applications from the main menu or search.
  4. Select New application, then Create your own application.
  5. In the Create your own application panel, provide a human-readable name (e.g., Identity Security Insights), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
  6. You are redirected to the overview page for your new application. From this page, select Set up single sign-on under Manage.
  7. Choose SAML and then Basic SAML Configuration:
    1. Click Edit and configure:
      • Identifier (Entity ID): The URL of your Insights app (example: app.beyondtrust.io).
      • Reply URL: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by the Insights application in a later step.
  8. Click Save.

Add identity provider in Insights

To register an identity provider for use with Insights, it must be created within the Insights console.

Within your Insights Organization dashboard, add a new identity provider using the following steps:

  1. Go to Menu > Identity & Authentication Providers and click Add New Identity Provider.
  2. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., Microsoft Entra ID).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: The URL of your Insights app (e.g., example.io).

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Identifier (Entity ID) configured in your Azure application.

Provide Microsoft credentials

Once you create your Microsoft Azure application, Microsoft Azure generates several values required by Insights to complete setup.

  1. Within the dashboard, open your app configuration from Step 2, if it is not already open (search for Enterprise applications, and click your new Insights app).
  2. Click Single sign-on for your new Insights app.
  3. Under SAML Certificates, click Download beside Federation Metadata XML.
  4. Open the XML file and provide the following values to the Identity Security Insights Add New Authentication Provider panel (opened in Step 1):
    • Copy the entityID from the top line of the document, and paste the value into the Insights Identity Provider Entity ID field.
    • Copy the encoded certificate between the tags of the document, and paste the certificate into the Insights tab labeled Certificate 1.
    • Close the XML document.
  5. In your Azure app configuration, under Set up for your application, copy the Login URL. Within the Insights Add Identity Provider panel, paste the Login URL value into the field labeled Identity Provider Sign-On URL.
  6. Within the Insights Add Identity Provider panel, click Add Identity Provider.

Update Azure single sign-on URL

The Insights application now generates a unique single sign-on URL to use with Microsoft Azure. To provide this URL to Microsoft Azure, follow the below steps:

  1. Within the Identity & Authentication Providers dashboard in Identity Security Insights, click Actions to the right of your newly configured identity provider and select Edit Provider.

  2. Copy the SAML Single Sign-On URL.

  3. In your Azure app configuration (in Azure, search for Enterprise applications, and click your new Insights app), select Edit under Basic SAML Configuration.

    Reply URL: Remove your placeholder single sign-on URL value, and paste the value generated by the Insights console.

  4. Click Save.

Okta

Create application in Okta

To begin adding Okta as an identity provider, you must create a new application for Identity Security Insights within Okta.

  1. Open your Okta tenant dashboard and ensure you are logged in as an administrator.
  2. Navigate to Applications > Applications and click Create App Integration.
  3. Select SAML 2.0 and click Next.
  4. Enter a human-readable app name, such as Identity Security Insights, and then click Next.
  5. In the Configure SAML step, provide the following information:
    • Single sign-on URL: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by the Insights application in a later step.
    • Audience URI: The URL of your Insights app (e.g., example.io).
    • Name ID Format: Select EmailAddress.
    • Application Username: Select Okta username.
  6. Click Next when complete.
  7. Select your customer type on the Feedback screen, and then click Finish.

Add identity provider in Insights

To register an identity provider for use with Insights, it must be created within the Insights console.

Within your Insights Organization dashboard, add a new identity provider using the following steps:

  1. Navigate to Menu > Identity & Authentication Providers and click Add New Identity Provider.
  2. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., Okta).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: The URL of your Insights app (e.g., example.io).

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Audience URI configured in your Okta application.

Provide Okta credentials

Once your Okta application is created, Okta generates several values required by Insights to complete setup.

  1. Within your Okta dashboard, navigate to Applications > Applications and select your new Insights app from the list.

  2. In the Sign On tab, click View SAML setup instructions on the right side.

  3. Okta displays a list of items required to finish configuration. The following items must be copied from the Okta dashboard and pasted into the Identity Security Insights Add New Authentication Provider panel (opened in Step 1):

    • Paste the Okta Identity Provider Single Sign-On URL into the Insights Identity Provider Sign-On URL field.
    • Paste the Okta Identity Provider Issuer value into the Insights Identity Provider Entity ID field.
    • Within Okta, copy the certificate encoding between the text BEGIN CERTIFICATE and END CERTIFICATE, and paste the certificate into the Insights tab labeled Certificate 1.

  4. Within the Insights Add New Authentication Provider panel, click Save Settings.

Update Okta single sign-on URL

The Insights application now generates a unique single sign-on URL to use with Okta. To provide this URL to Okta, follow the below steps:

  1. Within the Identity & Authentication Providers screen in the Insights dashboard, click Actions to the right of your newly configured identity provider and select Edit.

    Copy the SAML Single Sign-On URL.

  2. In your Okta dashboard, navigate to Applications > Applications and select your newly configured Insights app.

    • Under General > SAML Settings, click Edit.
    • In the General Settings tab, click Next.
    • In the Configure SAML tab, remove your placeholder single sign-on URL value, and paste the value generated by the Insights console.

  3. Click Next, and then click Finish to save your changes.

PingOne

Create application in PingOne

To begin adding PingOne as an identity provider, you must create a new application for Identity Security Insights within PingOne.

  1. Open your PingOne console and ensure you are logged in as an administrator.
  2. Select the environment you would like to configure Insights for, and then navigate to Connections > Applications.
  3. Click the plus sign beside Applications to create a new application.
  4. In the Add Application panel, provide a human-readable name (e.g., Identity Security Insights), a useful description, and click Configure.
  5. In the following SAML Configuration page, under Provide Application Metadata, select Manually Enter and provide the following information:
    • ACS URLs: A temporary placeholder URL to complete the app creation. This value will be edited with a URL generated by the Insights application in a later step.
    • Entity ID: A unique identifier for your IDP (e.g., ping).
  6. Click Save.

Add identity provider in Insights

To register an identity provider for use with Insights, it must be created within the Insights console.

Within your Insights Organization dashboard, add a new identity provider using the following steps:

  1. Navigate to Menu > Identity & Authentication Providers and click Add New Identity Provider.
  2. Provide the following information in the Add New Authentication Provider panel:
    • Provider Name: The name of your SSO service, or a human-readable name for reference (e.g., PingOne).
    • Binding Type: Select Post from the dropdown.
    • Domain Name: Your organization’s email domain (e.g., example.com).
    • Service Provider Entity ID: The unique Entity ID assigned in the previous step.

ℹ️

Note

Ensure that the Service Provider Entity ID matches the Entity ID configured in your Ping application.

Provide PingOne credentials

Once your PingOne application is created, PingOne generates several values required by Insights to complete setup.

  1. Within the PingOne dashboard, open your app configuration from Step 2 if it is not already open (navigate to Connections > Application and click your new Insights app), and then click the Overview tab.
  2. Copy the Single Signon Service URL. Within the Insights Add New Authentication Provider panel, paste the Single Signon Service URL value into the field labeled Identity Provider Sign-On URL.
  3. Copy the Issuer ID. Within the Insights Add New Authentication Provider panel, paste the Issuer ID value into the field labeled Identity Provider Entity ID.
  4. Click Download Signing Certificate and open the certificate file in a program such as Notepad++.
  5. Copy the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and paste the value into the field labeled Certificate 1.
  6. Within the Insights Add New Authentication Provider panel, click Save Settings.

Update PingOne configuration

Update the ACS URL

The Insights application now generates a unique single sign-on URL to use with PingOne. To provide this URL to PingOne, follow the below steps:

  1. Within the Identity & Authentication Providers dashboard in Identity Security Insights, click Actions to the right of your newly configured identity provider and select Edit.
  2. Copy the SAML Single Sign-On URL.
  3. In your PingOne application (in PingOne, navigate to Connections > Application and click your new Insights app), select Configuration.
  4. Click the pencil in the top right of the configuration menu and edit the following values:
    • ACS URL: Remove the placeholder value, and paste the SAML Single Sign-On URL generated by the Insights console.
  5. Click Save.

Update mapped attributes

  1. Click on Attribute Mappings.
  2. Click the pencil in the top right of the configuration menu and edit the following values:
    • saml_subject: Ensure this is set to Username.
    • userName: Ensure this is set to Username.
  3. Click Save.

Invite organization users

Once your identity provider is configured in Identity Security Insights, invite users on the User Management page.

ℹ️

Note

For more information, see the Manage users guide.

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.