BeyondTrust Password Safe SAML (IdP-initiated) integration
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.
Arculix by SecureAuth allows BeyondTrust customers to securely enable efficient access to Privileged Credentials and Sessions managed by Password Safe, while providing a flexible and frictionless user experience.
Prerequisites
Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative privileges for BeyondTrust Password Safe.
BeyondTrust Password Safe configuration
In this section, you'll configure BeyondTrust as a service provider (SP).
Download the SAML metadata and certificate for your organization from Arculix.
Metadata download:
https://sso.acceptto.com/<myorganization>/saml/download/metadataView metadata:
https://sso.acceptto.com/<myorganization>/saml/metadataCertificate download:
https://sso.acceptto.com/<myorganization>/saml/download/certLog in to your BeyondTrust Password Safe instance and go to Configuration > SAML Configuration > Create New SAML Identity Provider.
Set the following configurations.
Name
Enter a name for this SAML identity provider.
For example, Arculix.
Identifier
Enter the SAML identifier of your Arculix instance.
For example,
https://sso.acceptto.com/<organization>/samlSingle Sign-on Service URL
Enter the single sign-on URL from the Arculix metadata.
For example,
https://sso.acceptto.com/<organization>/saml/authEncryption and Signing Configuration
Select the applicable check boxes as needed for your configuration in Arculix.
In the Current Identity Provider Certificate section, upload the Arculix certificate obtained from Arculix.
In the Service Provider Settings section, copy the Entity ID and Assertion Consumer Service URL.
You will need these values for the Arculix side of the configuration.
In Password Safe, on the Groups page, create a new Local Group and do the following:
Assign one or more Managed Account Smart Groups with Read only permissions.
Note: Managed Account Smart Groups are groups of Privileged Accounts that Group members can access for Credential or Session Check-Out.
Assign one or more Password Safe Roles.
Arculix SAML configuration as an Identity Provider (IdP)
In this section, you'll add an application for BeyondTrust Password Safe and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name
Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, BeyondTrust Password Safe.
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests
Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
IdP Initiated
Select this check box to start the BeyondTrust application login in the Arculix SSO portal.
Issuer or Entity ID
Enter the Entity ID URL provided in the BeyondTrust SAML metadata.
This is the URL you copied earlier in the BeyondTrust configuration from the Service Provider Settings section in Step 5.
NameID Format
Set to Persistent.
Name Identifier
Set to Email.
ACS URL
Enter the Assertion Consumer Service URL provided in the BeyondTrust Password Safe SAML metadata.
This is the URL you copied earlier in the BeyondTrust configuration from the Service Provider Settings section in Step 5.
Scroll down to the bottom of the page, then click Add New Attribute Assertion and populate the fields like the table below:
Friendly Name
Name
Value
Name Format
Name
Name
mail
unspecified
Group
Group
memberOf
unspecified
Phone
phone
telephoneNumber
unspecified
email
EmailAddress
mail
unspecified
Surname
Surname
sn
unspecified
GivenName
GivenName
givenName
unspecified
Select the SAML IdP Settings tab and download the SAML certificate for your organization.
Save your changes.
Test your application integration
Go to the Arculix SSO login page for your organization and log in.
For example,
sso.acceptto.com/<myorganization>
The Arculix SSO portal similar to the following example displays. Click the BeyondTrust Password Safe application.
You will be redirected and logged in to BeyondTrust.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.