BeyondTrust Password Safe - SAML My Page SSO Configuration – RSA Ready Implementation Guide
4 months ago

This article describes how to integrate Cloud Access Service (CAS) with BeyondTrust Password Safe using SAML My Page SSO.

     
Configure CAS

Perform these steps to configure CAS using SAML My Page SSO.

Procedure

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Click Create from Template, and then click Select next to SAML Direct.
  3. On the Basic Information page, choose Cloud.
  4. Enter the name for the application and click Next Step.
  5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
  6. Scroll down to the Service Provider section, enter the following details (in the specified format) that will be provided during the BeyondTrust Password Safe configuration. 
    1. Assertion Consumer Service (ACS) URL: https://<beyondinsight-domain-name>.com/eEye.RetinaCSSAML/SAML/AssertionConsumerService.aspx
    2. Service Provider Entity ID: https://< beyondinsight-domain-name>/eEye.RetinaCSSAML
  7. Make a note of the Identity Provider URL that is available under Identity Provider. This value is required later in the BeyondTrust configuration.
  8. Under the Message Protection section, choose IdP signs assertion within response.
  9. Click Download Certificate to download the certificate, which will be required for the BeyondTrust Password Safe configuration.
  10. Under the User Identity section, select the following values:
    1. Identifier Type: emailAddress
    2. Property: mail

  11. Under the Statement Attributes section, add the following attributes as shown in the screenshot, which the IdP must provide in the assertion:
    1. Group: This must match the group created in BeyondInsight or imported from Active Directory/LDAP.
    2. Name: UPN, username, or EmailAddress formats are acceptable.
    3. Email
    4. Surname
    5. GivenName

  12. Click Next Step.
  13. On the User Access page, choose the access policy you want to use to determine which users can access the application, and then click Next Step.
  14. On the Portal Display page, configure the portal display and other settings.
  15. Click Next Step.
  16. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle button disabled as it is, and then click Save and Finish.
  17. Click Publish Changes and wait for the operation to be completed.

    After publishing, the application is enabled for SSO.

  

Configure BeyondTrust Password Safe

Perform these steps to configure the BeyondTrust Password Safe.
Procedure

  1. Log in to BeyondInsight, the central management platform for most BeyondTrust solutions.
  2. In the left pane, click the Configuration icon.
  3. Under Authentication Management, click SAML Configuration.
  4. In the SAML Identity Providers pane, click Create New SAML Identity Provider +.
  5. Provide a name for the new SAML identity provider (IdP).
  6. Provide the following details in the Identity Provider Settings:
    1. Select the Default Identity Provider checkbox if you have more than one Identity Provider configured for the same Service Provider and you want this IdP to be used as the default.
    2. Identifier: Enter the Identity Provider URL copied from the CAS configuration.
    3. Single Sign-on Service URL: Enter the Identity Provider URL copied from the CAS configuration.
    4. SSO URL Protocol Binding: Select HTTP Post as the type.
    5. Encryption and Signing Configuration: Select the applicable checkboxes to enable options, as required by your service provider.
    6. Signature Method: Select the method, as is required by your IdP, in the drop-down list. The Want Assertion Signed checkbox was selected as shown in the screenshot.
    7. Current Identity Provider Certificate: Upload the identity provider certificate downloaded during CAS configuration.
    8. User Mapping: Select the type of user account as None.
    9. The following Service Provider Settings are auto-generated by BeyondInsight:
      1. Entity ID: This is the fully qualified domain name, followed by the file name: https://<beyondinsight-domain-name>/eEye.RetinaCSSAML/ this will be used as the Service Provider Entity ID in the CAS configuration.
      2. Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. This will be used as the Assertion Consumer Service (ACS) URL in the CAS configuration.
  7. Click Create SAML Identity Provider.
  8. Navigate to Configuration > User Management under Role Based Access.
  9. To enable Password Safe, select the required group from the list, click the three dots next to it, and choose View Group Details.
  10. Click Smart Groups, and then select All Smart Groups to choose the required Smart Group permissions.
  11. Select the checkbox next to the Smart Group where Password Safe should be enabled, and then click Assign Permissions
  12. Choose either Assign Permissions Read Only or Assign Permissions Full Control.
  13. Once enabled, click the three dots next to it and select Edit Password Safe Roles.
  14. Choose the required Password Safe roles for the selected user group, and then click Save Roles.

The configuration is complete.

Related Articles

Trending Articles

Don't see what you're looking for?