HYPR
Log in to the Secure Remote Access administration web page with an administrative username and password. Follow the Secure Remote Access instructions for setting it up as a SAML service provider.
Note
The HYPR metadata information is available at this link: https:///auth/realms//protocol/saml/descriptor.
Important
Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit https://www.hypr.com/support or https://www.keycloak.org.
Create a new group policy
- In the left navigation menu, click Users & Security.
- Click the Group Policies tab at the top right of the page.
- Click the Add button.
- Name the policy. This example uses SAML_auth.
- Configure access permissions.
- Scroll down to the Access Permissions pane in Privileged Remote Access or the Representative Permissions pane in Remote Support.
- Check the box under the Defined column. This reveals a new option, Allowed to access endpoints for PRA or Allowed to provide remote support for RS.
- Check Allowed to access endpoints (PRA), or select Full Support from the dropdown (RS).
- In this same pane, scroll down to Jump Technology and select all the options.
- For Jump Item Roles, select Start Sessions Only for all items (Default, Personal, Teams, System).
- Configure session permissions.
- Scroll down to the Session Permissions pane in Privileged Remote Access. In Remote Support, both Attended Session Permissions and Unattended Session Permissions must be configured.
- Check the box next to Session Policy under the Defined column; this reveals additional settings.
- Check the box for Allow Elevated Access to Tools and Special Actions on the Endpoint.
- Scroll down to the Memberships pane and check the box under the Defined column for Add Team Membership (PRA) or Add Support Team Membership (RS).
- Search for your team, select a team role, and click the Add button to add the team.
- In the same Memberships pane, scroll down and find Add Jump Group Memberships; check the box under the Defined column.
- Search for your Jump Group.
- Set the Jump Item Role to Start Sessions Only.
- Set the Jump Policy to Set on Jump Items (PRA).
- Click Add.
- At the top left of the page, click Save.
Note
Account Settings, General Permissions, and Availability Settings do not require any changes from the default configuration.
Create a new security provider
- In the left navigation menu, click Users & Security.
- Click the Security Providers tab at the top of the page.
- Click the Add button and select SAML2 for Privileged Remote Access or SAML For Representatives for Remote Support.
- This page contains five expandable sections, the first four of which you will configure.
- Expand the Identity Provider Settings pane.
- Click Upload Identity Provider Metadata.
- Select the SAML metadata file provided by HYPR.
- Expand the Service Provider Settings pane.
- Click Download Service Provider Metadata.
- Provide the downloaded file to HYPR.
- Expand the User Attribute Settings pane.
- Set the following values:
| Field | Value |
|---|---|
| Username | Username |
| Email address | |
| Display Name | {First Name} {Last Name} |
- Expand the Authorization Settings pane.
- Set the Default Group Policy to the previously created policy; this example uses SAML_auth.
- Click the Save button when you are finished.
Identity provider configuration (HYPR/Keycloak)
Create a new client by importing the BeyondTrust metadata
- Log in to the Keycloak admin page and select the BeyondTrust realm in the drop-down.
- Click Clients in the left navigation menu.
- Once the Clients page opens, click Import client.
- Click Browse and select the SAML metadata file exported from Secure Remote Access. The Client ID field will be filled automatically; you can also manually enter a Name. This example uses BeyondTrustRSClient.
- Click Save when finished.
Configure new client settings
-
Log in to the Keycloak admin page and select the BeyondTrust realm in the drop-down.
-
Click Clients in the left navigation menu. A list of clients populates the main pane.
-
Select the client you just created.
This example uses https://hypr-rs.beyondtrustcloud.com.
-
A set of tabs displays for the client properties:
- Settings
- Keys
- Credentials
- Roles
- Client scopes
- Sessions
- Advanced
The following sections describe each tab and the subsections therein.
General settings
| Field | Value |
|---|---|
| Client ID | The Client ID defined at creation. [https://hypr-rs.beyondtrustcloud.com] |
| Name | The Name defined at creation. [BeyondTrustSRAClient] |
| Description | An optional field for additional information. |
| Always display in UI | Off |
Access settings
Leave all the fields blank except for Valid redirect URIs.
| Field | Value |
|---|---|
| Valid redirect URIs | https://hypr-rs.beyondtrustcloud.com/saml/sso |
SAML capabilities
| Field | Value |
|---|---|
| Name ID format | persistent |
| Force name ID format | On |
| Force POST binding | On |
| Force artifact binding | Off |
| Include AuthnStatement | On |
| Include OneTimeUse Condition | Off |
| Optimize REDIRECT signing key lookup | Off |
Signature and encryption
| Field | Value |
|---|---|
| Sign documents | On |
| Sign assertions | On |
| Signature algorithm | RSA_SHA256 |
| SAML signature key name | CERT_SUBJECT |
| Canonicalization method | EXCLUSIVE |
Login settings
| Field | Value |
|---|---|
| Login theme | Choose… (Leave unchosen) |
| Consent required | Off |
| Display client on screen | Off |
| Client consent screen text | (Leave blank) |
Logout settings
| Field | Value |
|---|---|
| Front channel logout | On |
Keys
No configuration changes are needed in this section.
Credentials
No configuration changes are needed in this section.
Roles
No configuration changes are needed in this section.
Client scopes
Attribute mappings must be added here.
-
Click the URL in the Assigned client scope column to open the Mappers dialog.
-
Click Add mapper and complete the User Attribute properties for LastName.
-
Click Save when finished adding LastName.
-
In addition to configuring a mapping for LastName, configure mappings for each of the following:
- FirstName
- Username
Each of the mappers follows the same pattern shown in the following table; note the case sensitivity.
| Field | Value |
|---|---|
| Mapper type | User Attribute |
| Name | LastName [FirstName / Email / Username] |
| User Attribute | lastName [firstName / email / username] |
| Friendly Name | LastName [FirstName / Email / Username] |
| SAML Attribute Name | LastName [FirstName / Email / Username] |
| SAML Attribute NameFormat | Basic |
| Aggregate attribute values | Off |
- Additionally, Groups must be configured as a Group list.
| Field | Value |
|---|---|
| Mapper type | Group list |
| Name | Groups |
| Group attribute name | Groups |
| Friendly Name | Groups |
| SAML Attribute NameFormat | Basic |
| Single Group Attribute | Off |
| Full group path | Off |
Sessions
No configuration changes are needed in this section.
Advanced
| Field | Value |
|---|---|
| Browser Flow | HYPR |
Click Save when you are finished making changes.
Log in to Remote Support with HYPR
Note
Make sure to install the HYPR Mobile App on your mobile device before proceeding.
- Open the SAML Kickoff URL: https://.beyondtrustcloud.com/login
- Launch the Secure Remote Access login.
- Under the Username and Password fields, click Use SAML Authentication.
- Enter your username in the HYPR login page, then click Sign In.
- Complete the login using your HYPR Mobile App.
- You will receive a push notification on the HYPR Mobile App. Click Login. The HYPR Mobile App will verify your identity (with FaceID, TouchID, etc.); follow its prompts to complete ID verification on the mobile device.
- You are now logged into Secure Remote Access.
Updated 5 days ago