This article describes how to integrate Cloud Access Service (CAS) with BeyondTrust Password Safe using SAML Relying Party.

Configure CAS 

Perform these steps to configure CAS using SAML Relying Party.

Procedure

1. Sign in to RSA Cloud Administration Console.
2. Click Authentication Clients > Relying Parties.
   
3. On the My Relying Parties page, click Add a Relying Party.
4. On the Relying Party Catalog page, click Add for Service Provider SAML.
   
5. On the Basic Information page, enter the name for the application in the Name field and click Next Step. 
   
6. On the Authentication page, choose RSA manages all authentication.
7. In the 2.0 Access Policy for Authentication drop-down list, select a policy that was previously configured, and then click Next Step.
   
8. Scroll down to the Service Provider section, enter the following details (in the specified format) that will be provided during the BeyondTrust Password Safe configuration.
   1. Assertion Consumer Service (ACS) URL: https://<beyondinsight-domain-name>.com/eEye.RetinaCSSAML/SAML/AssertionConsumerService.aspx
   2. Service Provider Entity ID: https://< beyondinsight-domain-name>/eEye.RetinaCSSAML
      
9. Under the Message Protection section, choose IdP signs assertion within response.
10. Click Download Certificate to download the certificate, which is required for the BeyondTrust Password Safe configuration.
    
11. Under the User Identity section, select the following values:
    1. Identifier Type: Email Address
    2. Property: mail
       
       
12. Under the Statement Attributes section, add the following attributes as shown in the screenshot, which the IdP must provide in the assertion:
    1. Group: This must match the group created in BeyondInsight or imported from Active Directory/LDAP.
    2. Name: UPN, username, or EmailAddress formats are acceptable.
    3. Email
    4. Surname
    5. GivenName
       
13. Make note of the Entity ID under the Identity Provider section, as this value will be required later in the BeyondTrust configuration. You can enter any identifier in the Discriminator field—it will be appended to the Entity ID URL to ensure the Entity ID is unique to the Service Provider.
14. Click Save and Finish.
15. Click Publish Changes and wait for the operation to be completed.
    
    After publishing, your application is enabled for SSO.

Configure BeyondTrust Password Safe

Perform these steps to configure the BeyondTrust Password Safe.
Procedure

1. Log in to BeyondInsight, the central management platform for most BeyondTrust solutions.
2. In the left pane, click the Configuration icon.
   
3. Under Authentication Management, click SAML Configuration.
   
4. In the SAML Identity Providers pane, click Create New SAML Identity Provider +.
5. Provide a name for the new SAML identity provider (IdP).
   
6. Provide the following details in the Identity Provider Settings:
   1. Select the Default Identity Provider checkbox if you have more than one Identity Provider configured for the same Service Provider and you want this IdP to be used as the default.
   2. Identifier: Enter the Identity Provider URL copied from the CAS configuration.
   3. Single Sign-on Service URL: Enter the Identity Provider URL copied from the CAS configuration.
      
   4. SSO URL Protocol Binding: Select HTTP Post as the type.
   5. Encryption and Signing Configuration: Select the applicable checkboxes to enable options, as required by your service provider.
      
   6. Signature Method: Select the method, as is required by your IdP, in the drop-down list. The Want Assertion Signed checkbox was selected as shown in the screenshot.
   7. Current Identity Provider Certificate: Upload the identity provider certificate downloaded during CAS configuration.
      
   8. User Mapping: Select the type of user account as None.
   9. The following Service Provider Settings are auto-generated by BeyondInsight:
      1. Entity ID: This is the fully qualified domain name, followed by the file name: https://<beyondinsight-domain-name>/eEye.RetinaCSSAML/ this will be used as the Service Provider Entity ID in the CAS configuration.
      2. Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. This will be used as the Assertion Consumer Service (ACS) URL in the CAS configuration.
         
7. Click Create SAML Identity Provider.
8. Navigate to Configuration > User Management under Role Based Access.
9. To enable Password Safe, select the required group from the list, click the three dots next to it, and choose View Group Details.
   
10. Click Smart Groups, and then select All Smart Groups to choose the required Smart Group permissions.
    
11. Select the checkbox next to the Smart Group where Password Safe should be enabled, and then click Assign Permissions. 
    
12. Choose either Assign Permissions Read Only or Assign Permissions Full Control.
    
13. Once enabled, click the three dots next to it and select Edit Password Safe Roles.
    
14. Choose the required Password Safe roles for the selected user group, and then click Save Roles.
    

The configuration is complete.