DocumentationRelease Notes
Log In
Documentation

SAML

Suggest Edits

By integrating your B Series Appliance with your company's directory stores, IT administrators can easily manage user access to BeyondTrust accounts. Configure BeyondTrust PRA to use your existing directory structure for user authentication and group lookup.

Access to existing user and group data

Rather than manually creating each BeyondTrust user account, an administrator can configure the B Series Appliance to query directories for existing users. Using the hierarchy and group settings already specified in these directories, the administrator can assign BeyondTrust account permissions to groups of users in addition to setting individual permissions.

Consistent authentication

Permitted users can log into their BeyondTrust accounts with their system credentials. The use of existing credentials spares the administrator from having to assign an additional username and password to each user and saves the user from having to remember another set of credentials.

Dynamic user permissions

Because BeyondTrust can retrieve data straight from the directory, a change in a user's status will automatically be reflected in their BeyondTrust account settings. For instance, if someone is moved from the Internal Support group to the Customer Support group in the company directory, the B Series Appliance also will read that user as a member of the Customer Support group and accordingly will grant that user the privileges assigned to that group.

Immediate account deactivation

If a user is moved to a group that is not permitted to access your B Series Appliance, or if the user ceases employment and is deleted from the company directory, that user will no longer be able to log into their BeyondTrust account. The account information will be present on the B Series Appliance for reporting purposes only.

Integration of your B Series Appliance with external identity providers enables you to efficiently manage user access to BeyondTrust accounts by authenticating users against external directory stores.

This guide helps you configure the B Series Appliance to communicate with an identity provider using SAML 2.0 for the purpose of user authentication and group lookup.

Configure the SAML security provider

  1. Go to /login > Users & Security > Security Providers.
  2. From the + ADD dropdown, select the type of server you want to configure.

ℹ️

Note

Multiple SAML providers can be configured, but a user who is defined in more than one provider can only be mapped to the first provider.

Add security provider

  1. Enter a unique name to identify the provider.
  2. Enabled:If checked, your B Series Appliance searches this security provider when a user attempts to log in. If unchecked, this provider is not searched.

User provision

By default, user provisioning occurs on this provider. If you have a SCIM provider set up, you can choose to provision users through that provider instead.

ℹ️

Note

This setting cannot be modified after this security provider is first saved.

Associated email domains

This setting only applies if you have more than one active SAML provider and is ignored otherwise.

Add any email domains that should be associated with this SAML provider, one per line. When authenticating, users are asked to enter their email. The domain of their email is matched against this list, and they are redirected to the appropriate identity provider for authentication.

If multiple SAML providers are configured and the user's email does not match any of the associated domain on any provider, then they are not allowed to authenticate.

Identity provider settings

Identity provider metadata

The metadata file contains all the information needed for the initial setup of your SAML provider and must be downloaded from your identity provider.

  1. Save the XML file.
  2. Click Choose File to select and upload the selected file.

ℹ️

Note

The fields for Entity ID, Single Sign-On Service URL, and Certificate are automatically populated from the identity provider's metadata file. If you cannot get a metadata file from your provider, this information can be entered manually.

Entity ID

This is the unique identifier for the identity provider you are using.

Single sign-on service URL

This is the URL where you are automatically redirected to log in to BeyondTrust Privileged Remote Access using SAML.

SSO URL protocol binding

This determines whether an HTTP POST occurs or whether the user is redirected to the sign-on URL. Choose HTTP redirect if not specified by the provider.

If request signing is enabled (under Service Provider settings), protocol binding is limited to redirect only.

Server certificate

This certificate is used to verify the signature of the assertion sent from the identity provider. Click +UPLOAD to open a file browse window, navigate to the certificate, and click Open.

Service provider settings

Service provider metadata

Download the BeyondTrust metadata, which you then need to upload to your identity provider.

Entity ID

This is your BeyondTrust URL. It uniquely identifies your site to the identity provider.

Private key

If necessary, you can decrypt messages sent by the identity provider, if they support and require encryption. Click CHOOSE FILE to upload the private key necessary to decrypt the messages sent from the identity provider.

Signed AuthnRequest

Check to enable request signing. If enabled, SSO URL protocol binding is limited to redirect only. The SSO URL protocol binding field is updated automatically, if necessary.

A private key and signing certificate is required for request signing.

User attribute settings

These are only visible if this provider for user provisioning.

User SAML attributes

These attributes are used to provision users within BeyondTrust. The default values match BeyondTrust-certified applications with various identity providers. If you are creating your own SAML connector, you may need to modify the attributes to match what is being sent by your identity provider.

Authorization settings

These are only visible if this provider for user provisioning.

Lookup groups using this provider

Enabling this feature allows faster provisioning by automatically looking up groups for this user, using Group Lookup Attribute Name and Delimiter. We recommend enabling this feature. If not used, SAML users must be manually assigned to group policies after their first successful authentication.

Group lookup attribute name

Enter the name of the SAML attribute that contains the names of groups to which users should belong. If the attribute value contains multiple group names, then specify the Delimiter used to separate their names.

If left blank, SAML users must be manually assigned to group policies after their first successful authentication.

Group lookup delimiter

If the Delimiter is left blank, then the attribute value may contain multiple XML nodes with each one containing a different name.

Available groups

This is an optional list of SAML groups always available to be manually assigned to group policies. If left blank, a given SAML group is made available only after the first successful authentication of a user member of such group. Please enter one group name per line.

Default group policy

Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your B Series Appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

If a default policy is defined, any allowed user who authenticates against this server might have access at the level of this default policy. Therefore, we recommend you set the default to a policy with minimum privileges to prevent users from gaining permissions you do not wish them to have.

ℹ️

Note

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

Test settings

You can test the SAML configuration from this page. The provider must be saved before it can be tested. Click Save at upper left area of the screen, then scroll down and click Test. The configuration is tested against the identity provider, and a test results page shows the SAML response and a formatted version of the assertion XML. The responses can be copied to other tools if further review is required.

Log in to Privileged Remote Access

SAML single sign-on works for the access console or the administrative /login interface.

Depending on your identity provider, users can also log in to the BeyondTrust access console or /login interface from the provider's web site or application.

Log into the access console using SAML credentials

To log into the BeyondTrust access console, select SAML Credentials from the dropdown menu.

If you have not yet logged into your identity provider, you are redirected using the default browser. After logging into the identity provider, the web browser redirects you to access console.

ℹ️

Note

Users can access the mobile access console using SAML for mobile. To learn more, see Log in to the Android access console using SAML for mobile and Log in to the iOS access console using SAML for mobile.

Log into the /login interface using SAML credentials

From the /login interface, select Use SAML Authentication.

If you have not yet logged in to your identity provider, you are redirected to their site to enter your credentials.

When you click Sign In you are taken to the /login interface.

ℹ️

Note

If you are already logged into your identity provider, then when you click Use SAML Authentication to log in, you are taken directly to the /login interface.

Manage security providers

The list of security providers has several icons at the right end of row. Click the pencil icon to edit the provider. Click the trash can icon to delete the provider. Click the ellipsis for actions available for that provider.

View log

View the status history or any errors for a security provider connection.

Disable connection

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

Updated 28 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.