Documentation
Start typing to search…

Identity providers | PRA Pathfinder

Use SAML group claims for Group Policy

If your SAML IdP is configured to send group claims, the groups can be leveraged in BeyondTrust PRA for Group Policy management. On a successful SAML login, any groups included in the authentication claim are automatically created and populated in PRA.

When the groups are available, administrators can assign appropriate permissions and add users to the relevant groups. This enables users to access their designated Jump Items and other resources as defined by the Group Policy.

Users can navigate to this API endpoint once authenticated with Pathfinder via SAML, and the results show the group assertions coming from the IdP.

https://app.beyondtrust.io/api/auth/UserInfo

Example output from the API call above. The groups section is the SAML group claims with BeyondTrust PRA for Group Policy management on successful SAML login.

{
  "sub": "12345678-1234-5678-1234-567812345678",
  "given_name": "John",
  "family_name": "Doe",
  "email": "[email protected]",
  "groups": [
    "Admin",
    "User",
    "Support Team"
  ]
}

Groups from the SAML claim are populated in the Available Members under Group Policies.

Group policies in PRA showing members in a policy

Updated 2 months ago

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.