DocumentationRelease Notes
Log In
Documentation

Entra ID (SAML)

Suggest Edits

Microsoft Entra ID (formerly Azure AD), is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against a wide range of cybersecurity attacks.

A BeyondTrust app, available in Microsoft Entra ID App Gallery, provides Single Sign-On and provisioning via SAML. This app supports Remote Support and public portals, Privileged Remote Access, Password Safe, and Password Safe Cloud.

Install and configure Entra ID app

Follow the steps below to install and configure this app.

  1. Locate the BeyondTrust SAML app in Microsoft Entra ID Gallery.

  2. Change the name to your preferred descriptive name, for example, BeyondTrust SAML – Remote Support. Screenshots below use BeyondTrust Privileged Remote Access as the descriptive name, however the process is the same for either application.

ℹ️

Note

While a single instance of the app can service multiple BeyondTrust products simultaneously, we recommend creating a separate app instance for Password Safe, if you are using that product.

  1. Click Create.
  2. Information about the BeyondTrust SAML app displays when creation is completed.
  3. Click Set up single sign on under Getting Started.
  4. Configure Basic SAML Configuration to match your Remote Support instance. The Entity IDs are specific to the instances for each product.
  5. Change the Unique Identifier (Name ID) to the Persistent format.
  6. Configure Attributes & Claims sources and values as shown in the table below, then add a group claim as show in the image below:
SourceValue
Usernameuser.principalname
FirstNameuser.givenname
LastNameuser.surname
Emailuser.email
Group ClaimGroup ID

ℹ️

Note

The group claim must be configured to use only groups assigned to the application, to prevent errors that may occur if a user belongs to more than 150 AD groups. For more information, please see Configure group claims for applications by using Microsoft Entra ID.

  1. Click Edit on the SAML certificates section.
  2. For Signing Option, select Sign SAML response and assertion.
  3. Download the Federation Metadata XML.

Configure Remote Support

Once the app has been configured, follow these steps to add the provider to Remote Support:

  1. Log in to Remote Support.

  2. Navigate to Users & Security > Security Providers.

  3. Click +ADD.

  4. Select SAML For Representatives or SAML for Public Portals. Steps below are shown for SAML For representatives. The process is similar for public portals.

  5. Upload the Identity Provider metadata downloaded from the Microsoft Entra ID App.

  6. Verify that User Attribute Settings match the Claims in Microsoft Entra ID App

  7. Configure Authorization Settings to match Microsoft Entra ID Groups and assign a default Group Policy.

For assistance, log into the Customer Portal to chat with BeyondTrust Technical Support.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.