DocumentationRelease Notes
Log In
Documentation

Beyond Identity (SAML)

Suggest Edits

Using Beyond Identity with SAML for Remote Support provides several benefits:

  • Provides strong, unphishable multi-factor access and policy-based access controls to ensure high-trust authentication for admin accounts.
  • Ensures only devices that meet the company’s security policy have access to admin accounts.
  • Establishes identity before privileged actions on an endpoint are allowed, using a frictionless step-up authentication.
  • Creates a zero-trust PAM architecture: the system doesn’t trust the user until they pass a high-assurance authentication and doesn’t trust their device unless it meets security policies.
  • Eliminates passwords and the corresponding vulnerabilities from privileged accounts.

Beyond Identity can validate a device’s security posture before allowing access to Remote Support.

Beyond Identity can provide insights into access activity.

To use the Beyond Identity app, you must download and install the application, and configure it and BeyondTrust Remote Support to work together. The integration is configured using POST, not redirect. The integration can be used to authenticate SAML for representatives and public sites.

Download the Beyond Identity app

Go to the Beyond Identity Download site.

Download and install the Beyond Identity app, and then use the app to authenticate your instance of Beyond Identity.

Configure Beyond Identity for representatives

Follow the steps below to download and configure the Beyond Identity app for a representative.

  1. If Beyond Identify is already open in a browser tab, open a new browser tab for BeyondTrust Remote Support.

  2. Go to the /login interface of the Remote Support instance.

  3. Click Users & Security on the left menu, and then click the Security Providers tab.

  1. Click Add and select SAML for Representatives.
  1. Scroll down and expand the Service Provider Settings.
  2. Locate the Assertion Consumer Service URL and the Entity ID. These are required for Beyond Identity. Alternately, click Download Service Provider Metadata.
  3. If Beyond Identity is not already open, open it in a new browser tab.
  4. Click Integrations in the left menu.
  5. Click the SAML tab.
  6. Click Add SAML Connection.
  7. If you have downloaded the service provider metadata, click Upload XML and locate the file on your device.
  8. If you have not downloaded the information, then:
    • Copy the Assertion Consumer Service URL in Remote Support to SP Single Sign On URL in Beyond Identity.
    • Copy the Entity ID in Remote Support to SP Audience URI in Beyond Identity.
  9. In Beyond Identity, configure Attribute Statements. Groups includes a RS group to be assigned via the SAML assertion.
  10. In Beyond Identity, click Save Changes.
  11. In the SAML Connections panel, locate the connection just added.
  12. For the new connection:
    • Click the Download Certificate icon.
    • Click the Download Metadata icon </>.
  13. Return to the browser tab for the /login interface of the BeyondTrust Remote Support instance.
  14. In the Remote Support /login interface:
    • Click Upload Identity Provider Metadata and locate the file on your device.
    • Click Upload Certificate (or Replace Certificate, if required), and locate the file on your device.
  15. Scroll down and expand the User Attribute Settings.
  16. Configure based on the attribute names configured in Beyond Identity.
  17. Scroll down and expand Authorization Settings.
  18. Configure as required. A Default Group Policy must be selected.
  19. Click Save.
  1. Log out of BeyondTrust Remote Support.

Test Beyond Identity on your device

To test Single Sign-On using SAML with the Beyond Identity app, ensure you are logged out of all instances of BeyondTrust Remote Support.

On the login page for Remote Support, click Use SAML Authentication.

A screen shows the Beyond Identity app verifying Identity.

After successful verification, you are authenticated in Remote Support.

Configure Beyond Identity for public portals or sites

  1. If Beyond Identify is already open in a browser tab, open a new browser tab for BeyondTrust Remote Support.

  2. Go to the /login interface of the Remote Support instance.

  3. Click Users & Security on the left menu, and then click the Security Providers tab.

  1. Click Add and select SAML for Public Portals.
  1. Scroll down and expand the Service Provider Settings.
  2. Locate the Assertion Consumer Service URL and the Entity ID. These are required for Beyond Identity. Alternately, click Download Service Provider Metadata.
  3. If Beyond Identity is not already open, open it in a new browser tab.
  4. Click Integrations in the left menu.
  5. Click the SAML tab.
  6. Click Add SAML Connection.
  7. If you have downloaded the service provider metadata, click Upload XML and locate the file on your device.
  8. If you have not downloaded the information, then:
    • Copy the Assertion Consumer Service URL in Remote Support to SP Single Sign On URL in Beyond Identity.
    • Copy the Entity ID in Remote Support to SP Audience URI in Beyond Identity.
  9. In Beyond Identity, configure Attribute Statements. Groups includes a RS group to be assigned via the SAML assertion.
  10. In Beyond Identity, click Save Changes.
  11. In the SAML Connections panel, locate the connection just added.
  12. For the new connection:
    • Click the Download Certificate icon.
    • Click the Download Metadata icon </>.
  13. Return to the browser tab for the /login interface of the BeyondTrust Remote Support instance.
  14. In the Remote Support /login interface:
    • Click Upload Identity Provider Metadata and locate the file on your device.
    • Click Upload Certificate (or Replace Certificate, if required), and locate the file on your device.
  15. Scroll down and expand the User Attribute Settings.
  16. Configure based on the attribute names configured in Beyond Identity.
  17. Scroll down and expand Authorization Settings.
  18. Configure as required. A Default Group Policy must be selected.
  19. Click Save.
  1. Select Public Portals on the left menu, and then the Public Sites tab.
  2. Click Add. In the BeyondTrust instance, click Public Portals, and then Public Sites.
  3. Enter the site information, and check the Require SAML Authentication box.
  4. Click Save.
  5. Log out of BeyondTrust Remote Support.

When using the URL for your public sites, SAML authentication occurs via Beyond Identity.

For assistance, contact BeyondTrust Technical Support.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.