BeyondTrust 24.2 Beyond Insight and Password Safe User Guide

Contents hide

1 24.2 Beyond Insight and Password Safe

2 Product Information

2.1 Specifications

3 Product Usage Instructions

3.1 Configure RADIUS Two-Factor Authentication

3.1.1 Configure the RADIUS Server

4 Frequently Asked Questions (FAQ)

4.1 Q: What are the supported authentication methods for BeyondInsight and Password Safe 24.2?

4.2 Documents / Resources

4.2.1 References

24.2 Beyond Insight and Password Safe

“

Product Information

Specifications

Product: BeyondInsight and Password Safe 24.2
Authentication Methods:
- Two-factor using a RADIUS server
- SecureAuth using RADIUS
- Two-factor using TOTP
- Passwordless Authentication
- Smart card
- Claims-aware website
- SAML Identity Provider
- SAML with Entra ID App
- Active Directory Federation Services (AD FS) SAML
- Okta SAML
- Ping Identity SAML
- PingOne SAML

TC: 12/31/2024

Product Usage Instructions

Configure RADIUS Two-Factor Authentication

You can configure two-factor authentication using a RADIUS
server to log in to the BeyondInsight management console, Analytics
& Reporting, and Password Safe.

Configure the RADIUS Server

From the left sidebar, click Configuration.
Under Authentication Management, click Radius two-factor
authentication.

Click Create New RADIUS Alias.
Set the following:
- Alias: Provide a name used to represent the
  RADIUS server instance. This is displayed in the RADIUS server grid
  and must be unique.
- Filter: Select a filter that will be used to
  determine if this RADIUS server instance should be used. If you
  select one of the domain filters, you must enter a Value.
- Value: If one of the domain filters is
  selected, enter a value that will identify the domain. Enter a
  domain or comma-separated list of domains, depending on the setting
  selected for the filter.
- Host: Enter the DNS name or the IP address for
  your RADIUS server.
- Resource Zone: Select a Resource Zone to send
  RADIUS requests through.
- Authentication Mechanism: Select PAP, or
  MSCHAPv2 if applicable.
- Authentication Port: Enter the listening port
  that is configured on your RADIUS server to receive authentication
  requests. The default port is 1812.
- Authentication Request Timeout: Enter the time
  in seconds that you want BeyondInsight to wait for a response from
  the RADIUS server before the request times out. The default value
  is ten seconds.
- Shared Secret: Enter the shared secret that is
  configured on your RADIUS server.
- Initial Request: Provide the value passed to
  the RADIUS server on the first authentication request.
- Prompt: Provide the first message that
  displays to the user when they log in to the application.
- Transmit NAS Identifiers: Enable this option
  if it is applicable to your environment.

Frequently Asked Questions (FAQ)

Q: What are the supported authentication methods for
BeyondInsight and Password Safe 24.2?

A: The supported authentication methods include two-factor using
a RADIUS server, SecureAuth using RADIUS, Two-factor using TOTP,
Passwordless Authentication, Smart card, Claims-aware website, SAML
Identity Provider, SAML with Entra ID App, Active Directory
Federation Services (AD FS) SAML, Okta SAML, Ping Identity SAML,
and PingOne SAML.

“`

View Fullscreen

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Authentication for BeyondInsight and Password Safe
BeyondInsight and Password Safe support BeyondInsight user account authentication, as well as multi-factor authentication, smart card authentication, and third-party authentication for web tools supporting the SAML 2.0 standard. BeyondInsight provides authentication for user accounts found in the BeyondInsight database. You can create BeyondInsight local accounts and groups, and you can add Active Directory, Entra ID, and LDAP users and groups into BeyondInsight. You can apply BeyondInsight authentication to any of these accounts. See Role-based access in BeyondInsight to learn more. Learn how to configure authentication methods such as:
l Two-factor using a RADIUS server l SecureAuth using RADIUS l Two-factor using TOTP l Passwordless Authentication l Smart card l Claims-aware website l SAML Identity Provider l SAML with Entra ID App l Active Directory Federation Services (AD FS) SAML l Okta SAML l Ping Identity SAML l PingOne SAML

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs ©2003-2024 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

1 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure RADIUS two-factor authentication
You can configure two-factor authentication using a RADIUS server to log in to the BeyondInsight management console, Analytics & Reporting, and Password Safe.
In BeyondInsight, you must first configure the alias to represent the RADIUS server instance, and then select two-factor authentication settings for the user.
After you set up RADIUS two-factor authentication, users must log in to BeyondInsight or Password Safe using the configured two-factor authentication method.
Configure the RADIUS server
To configure the RADIUS server instance for two-factor authentication in BeyondInsight, follow the below steps.
1. From the left sidebar, click Configuration. 2. Under Authentication Management click, Radius two-factor authentication. 3. Click Create New RADIUS Alias. 4. Set the following:
l Alias: Provide a name used to represent the RADIUS server instance. This is displayed in the RADIUS server grid and must be unique.
l Filter: Select a filter that will be used to determine if this RADIUS server instance should be used. If you select one of the domain filters, you must enter a Value.
l Value: If one of the domain filters is selected, enter a value that will identify the domain. Enter a domain or commaseparated list of domains, depending on the setting selected for the filter.
l Host: Enter the DNS name or the IP address for your RADIUS server. l Resource Zone: Select a Resource Zone to send RADIUS requests through. Traffic proxies through the Resource Broker
and on to the on-prem RADIUS server. l Authentication Mechanism: Select PAP, or MSCHAPv2 if applicable. MSCHAPv2 is supported only if the Duo proxy is
configured to use a RADIUS client. l Authentication Port: Enter the listening port that is configured on your RADIUS server to receive authentication requests.
The default port is 1812. l Authentication Request Timeout: Enter the time in seconds that you want BeyondInsight to wait for a response from the
RADIUS server before the request times out. The default value is ten seconds. l Shared Secret: Enter the shared secret that is configured on your RADIUS server. l Initial Request: Provide the value passed to the RADIUS server on the first authentication request. Select from the
following: Forward User Name (default), Forward User Name and Password, Forward User Name and Token. l Prompt: Provide the first message that displays to the user when they log in to the application. This setting is available
only when Forward User Name and Token is selected as the initial request value. l Transmit NAS Identifiers: Enable this option if it is applicable to your environment. When this option is enabled, NAS
identifiers are transmitted to permit access. In some cases, a RADIUS server does not permit access if NAS identifiers are not transmitted. BeyondInsight transmits its NAS IP Address and its NAS Identifier. 5. Click Create New RADIUS Alias.

2 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Note: If a Resource Zone is selected, traffic is routed over a Resource Broker. If no Resource Zone is selected, traffic is routed directly from the cloud.
Configure RADIUS two-factor authentication using Duo
This section is a high-level overview on the configuration required for BeyondInsight and Password Safe to work with a RADIUS infrastructure using Duo. BeyondInsight and Password Safe can work with the following Duo configurations:
l RADIUS Auto l RADIUS Challenge l RADIUS Duo only
Configure two-factor for RADIUS Auto and RADIUS Challenge using Duo
Follow the steps outlined above in “Configure the RADIUS server” on page 2, using the following settings:
l For Alias, enter Duo. l For Authentication Mechanism, select PAP. l For Initial Request, select Forward User Name and Password.

3 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure two-factor for a RADIUS Duo-only configuration
Follow the steps outlined above in “Configure the RADIUS server” on page 2, using the following settings:
l For Alias, enter Duo. l For Authentication Mechanism, select PAP. l For Initial Request, select Forward User Name and Token. l For Initial Prompt, enter a message to display on the
BeyondInsight login page to provide guidance to users on the information to enter. In this case, the user must enter the RADIUS code.

Example: Duo-Only Login Page After RADIUS two-factor authentication is configured, the login page for the end user varies, depending on the configured settings. The screenshot shows a login page configured for Duo-only authentication. The user can enter a passcode to log in or select a device to send a code to. The user then enters the code on the login page.
Configure alternate directory attribute for RADIUS
To configure an alternate directory attribute for Active Directory and LDAP users for RADIUS authentication, follow the below steps.
Note: This setting is optional.
1. In BeyondInsight, navigate to Configuration > Authentication Management > Authentication Options. 2. Under RADIUS Two-Factor Authentication, set the following:
l Alternate directory attribute: Enter the Active Directory or LDAP attribute that is matched on the RADIUS server to identify the user account. This can be any attribute in Active Directory or LDAP. The default value is extensionName.

4 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
l Enable for new directory accounts: Click the toggle to enable this attribute for new accounts when they are discovered. 3. Click Update RADIUS Two-Factor Authentication Options.
Apply RADIUS two-factor authentication to user accounts
The type of two-factor authentication can be set on a user account when a new user is created or when editing an existing user account. You can enable RADIUS two-factor authentication for all new users from Authentication Options > RADIUS Two-Factor Authentication settings, as indicated in the above section.
1. In BeyondInsight, navigate to Configuration > Role Based Access > User Management > Users. 2. To create a new user, click Create New User. To edit an existing user, click the vertical ellipsis for the account and select Edit
User Details.

5 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
3. At the bottom of the user account settings, select RADIUS from the Two Factor Authentication list.

6 TC: 12/31/2024

Using multiple RADIUS servers
If you have multiple RADIUS servers, they are processed from the lowest priority to highest. The DUO server is first. If BeyondInsight connects to that server, no other servers are checked.
If BeyondInsight cannot connect to the first server (DUO), then a connection is attempted with the next server (DUO2) in the list (the next highest priority number). Each server is checked until a connection is made or all servers available have been tried.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

7 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure SecureAuth using RADIUS
Use the following procedures to configure SecureAuth two-factor authentication with Password Safe and RADIUS. 1. Install the SecureAuth app on a mobile device and click the bar code to scan. 2. In the BeyondInsight Console, perform the following: l Configure RADIUS, ensuring UDP port 1812 is open for the SecureAuth instance. l Create a group with role access for managed accounts. l Create a user. The user must also be a user in the SecureAuth system. l Enable two-factor authentication for the user. Map the user to the account name in SecureAuth.
Test the configuration
1. Log in to the Password Safe web portal using the user account that you created. 2. Enter 1 to receive the passcode in a text message. 3. Retrieve the passcode from your mobile device. 4. Enter the passcode on the Password Safe web portal login page, and then click Login. 5. Test other login methods.
Note: For the push method (4), increase the timeout to 30 seconds.

8 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Create and edit directory credentials
A directory credential is required for querying Active Directory (AD), Entra ID, and LDAP. It is also required for adding AD, Entra ID, and LDAP groups and users in BeyondInsight. Follow the steps below for creating each type of directory credential.
Note: Before you can create an Entra ID credential, you must first register and configure permissions for an application in the Entra ID tenant where the user credentials reside.
To create a directory credential in BeyondInsight: 1. From the left sidebar, click Configuration. 2. Under Role Based Access, click Directory Credentials. 3. Click + Create New Directory Credential. 4. Select the Directory Type and follow the steps below that are applicable for that type.

9 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Create an Active Directory credential
1. Select Active Directory for the Directory Type. 2. Provide a name for the credential. 3. Enter the name of the domain where the directory and user credentials
reside. 4. Enable the Use SSL option to use a secure connection when accessing the
directory.
Note: If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.
5. Enter the credentials for the account that has permissions to query the directory.
6. Enable the Use Group Resolution option to use this credential for resolving groups from the directory.
Note: Only one credential can be set for group resolution per domain or server.
7. Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
8. Click Create Credential.

10 TC: 12/31/2024

Create an LDAP credential
1. Select LDAP for the Directory Type. 2. Provide a name for the credential. 3. Enter the name of the LDAP server where the directory and user
credentials reside. 4. Enable the Use SSL option to use a secure connection when
accessing the directory.
Note: If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight configuration tool.
5. Enter the credentials for the account that has permissions to query the directory.
6. Enable the Use Group Resolution option to use this credential for resolving groups from the directory.
Note: Only one credential can be set for group resolution per LDAP server.
7. Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
8. Click Create Credential.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

11 TC: 12/31/2024

Create an Entra ID credential
1. Select Microsoft Entra ID for the Directory Type. 2. Provide a name for the credential. 3. Paste the Client ID, Tenant ID, and Client Secret that you copied
when registering the application in your Entra ID tenant. 4. Enable the Use Group Resolution option to use this credential for
resolving groups from the directory.
Note: Only one credential is supported per Entra ID tenant.
5. Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
6. Click Save Credential.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Edit a directory credential
1. From the Directory Credentials grid, click the vertical ellipsis for the credential, and then select Edit.

12 TC: 12/31/2024

2. Make the changes required.
Note: For AD or LDAP credentials, if you change the Domain or LDAP Server, enable or disable the Use SSL option, or update the Username or Bind DN, you must change the password. Click Change Password to display fields to enter and confirm the new password.
3. Click Test Credential to ensure the edited credential can successfully authenticate with the domain or domain controller before saving the credential.
4. Click Save Credential.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Note: To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

13 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure passwordless authentication
BeyondTrust supports FIDO2-certified authenticators to securely log in to BeyondInsight without entering your password. Roaming authenticators, such as YubiKeys, and platform integrated biometric authenticators, such as Windows Hello are supported.
Note: Passwordless authentication is available only for local BeyondInsight users. Support for Active Directory, LDAP, and Entra ID directory users is planned for a future release.
Enable passwordless authentication
1. From the left sidebar, click Configuration. 2. Under Authentication Management, click Authentication
Options. 3. Under Passwordless Authentication:
l Select the Default Authentication Method.This sets the default method displayed when logging into the console.
l Check Enable Passwordless FIDO2 Authentication to enable it for BeyondInsight instance.
l Click Update Passwordless Authentication Settings to save.
Register a passwordless authenticator
1. In the top-right corner of the console, click the Profile and preferences icon.
2. Click Account Settings.

3. From the My Account panel, click Passwordless Authentication. 4. Click + Register FIDO2 Authenticator. 5. Select the type of authenticator you wish to register: Roaming or Platform.

14 TC: 12/31/2024

6. Enter a unique name for your authenticator. 7. Enter your BeyondInsight account password. 8. Click Continue and follow your browser’s instructions.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

View and manage passwordless authenticators for users
1. From the left sidebar, click Configuration. 2. Under Role Based Access, click User Management. 3. Click the Column Chooser above the grid. 4. Select Passwordless FIDO2 Authenticators from the list to add that column to the grid. 5. The number of FIDO2 authenticators for each user is displayed in the column. 6. Click the vertical ellipsis for a user and select View User Details. 7. From the User Details Panel, click FIDO2 Authenticators. 8. From the FIDO2 Authenticators grid, you can see the type of authenticator for each user, along with when it was registered, and
last used. 9. To delete an authenticator for a user, click the vertical ellipsis for the user and click Delete.

15 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

16 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure smart card authentication
Smart cards can be used for authentication when logging into BeyondInsight and Password Safe. Your network must already be configured to use smart card technology to use this feature. This below instructions are written with the understanding that you have a working knowledge of PKI, certificate-based authentication, and IIS. In BeyondInsight, you must first enable smart card two-factor authentication configuration settings, and then enable the Override Smart Card User Principal Name authentication option for the user accounts, as detailed below.
Enable smart card two-factor authentication in BeyondInsight
1. Navigate to Configuration > Authentication Management > Smart Card two-factor authentication. 2. Click the toggle to Enable Smart Cards. 3. Click the toggle to enable the Allow UPN Override On User option. This enables a BeyondInsight user with a smart card that has
a different Subject Alternative Name to log into BeyondInsight and maps the smart card to the user. 4. Click Update Smart Card Authentication.

17 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Enable override smart card user principal name on user accounts
You must enable the Override Smart Card User Principal Name setting for the user accounts that use smart cards to authenticate and provide the User Principal Name. This authentication option allows a BeyondInsight user with a smart card that has a different Subject Alternative Name to log into BeyondInsight, and maps the smart card to the user. When creating a new user or editing an existing one, set this option under Authentication Options.

18 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Disable forms login
In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight. To disable forms login for existing users, enable this option directly on a user account as follows:
1. Click the vertical ellipsis for the user account, and then click Edit User Details.

19 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
2. Under Authentication Options, check Disable Forms Login to enable the option. Note: Please contact BeyondTrust Support for assistance if you need to bulk-apply this setting to existing accounts.

To disable forms login globally for newly created directory accounts:

20 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
1. From the left sidebar, click Configuration 2. Under Authentication Management, click Authentication Options. 3. Under Forms Login Options, check the Disable Forms Login for new directory
accounts option to enable it.
Verify the BeyondInsight server certificate
During the BeyondInsight installation, self-signed certificates are created for client and server authentication. These certificates are placed in your Personal > Certificates store and show as Issued By eEyeEmsCA. To authenticate using smart cards, the server where BeyondInsight is running also requires a certificate issued and signed by a certificate authority (CA). Verify that your BeyondInsight server has the correct certificates issued before continuing.
Verify the web server certificate
During the BeyondInsight installation, a self-signed web server certificate is created. This certificate must be replaced with a CA-issued certificate. To verify you have a CA-signed certificate issued to the web server:

21 TC: 12/31/2024

1. Open IIS. 2. Select your web server.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

3. Select Server Certificates.

4. Verify you have a CA-issued certificate. If you do not see one listed, request one from your certificate authority.

Update default web site bindings with CA-issued certificate
Once you have a CA-issued certificate in place, you must edit the bindings of the Default Web Site, replacing the self-signed certificate.

22 TC: 12/31/2024

1. Open IIS. 2. Expand Sites, and then select Default Web Site. 3. Right-click Default Web Site, and then select Edit Bindings.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

4. Select https, and then click Edit.
5. Select the issued domain certificate in the SSL certificate list, and then click OK.

23 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Update SSL certificate in BeyondInsight configuration tool
The next step is to change the domain issued certificate in the BeyondInsight Configuration tool. 1. Open theBeyondInsight Configuration tool. The default path is: C:Program Files (x86)eEye Digital SecurityRetina CSREMEMConfig.exe. 2. Scroll to Web Service. 3. From the SSL Certificate menu, select the Domain Issued certificate. 4. Click Apply.
Log in to BeyondInsight and Password Safe using a smart card
With the correct certificates now applied, you can now open the BeyondInsight Console or go to https://<servername>/RetinaCSSC, where you are prompted to select your certificate and enter your pin. You are logged in using a secure encrypted connection.

Configure two-factor authentication settings for user accounts
Two-factor authentication can be configured for Local, Active Directory, and LDAP user accounts as follows:
1. From the left sidebar, click Configuration. 2. Under Role Based Access, click User Management. 1. Select the Users tab. 2. Click the vertical ellipsis for the user account. 3. Select Edit User Details. 4. On the Edit User page, select RADIUS from the Two Factor Authentication list.

24 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
5. From the Map Two Factor User list, select one of the options listed. The user type selected maps to a user on the RADIUS server. The options displayed in the list change depending on the user logging in. l Local BeyondInsight Users options: o As Logged in: Use the BeyondInsight user account login. o Manually Specified: Enter the username the user enters when logging in.
l Active Directory and LDAP Users options: o SAM Account Name: This is the default value. o Manually Specified: This is the username the user enters when logging in. o Alternate Directory Attribute: This is the Active Directory or LDAP attribute that you set above when configuring the RADIUS server. o Distinguished Name: This is a combination of common name and domain component. o User Principal Name: This is a combination of user account name (prefix) and DNS domain name (suffix), joined using the @ symbol.
Note: The information for Active Directory and LDAP user settings is retrieved from the corresponding setting in the directory for the user account logging in.
6. Click Update User.

25 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Map directory credentials to a domain
Domain management allows you to map a default primary directory credential and an optional fallback credential as preferred binding credentials used for account resolution against domains in your environment when logging in to BeyondInsight.
Note: If credentials are not mapped, or both mapped credentials fail, BeyondInsight attempts login following the legacy process of not using mapped credentials.
Follow these steps to add or edit primary and secondary credentials for a domain: 1. From the left sidebar, click Configuration. 2. Under Role Based Access, click Domain Management. 3. Click Create New Domain + to create a new one. 4. Provide the name of the domain or LDAP server. 5. Select the type of platform. 6. Select a Primary Credential from the dropdown. 7. Select a Fallback Credential from the dropdown. 8. Click Create Domain.
9. To edit credentials for an existing domain, select the domain from the left pane, make your edits, and then click Save Domain.
Tip: Primary and fallback credentials can include Password Safe managed accounts.
When domain management is configured for a domain and user selects the domain when logging into BeyondInsight, the specified primary and fallback credentials are used to resolve their account. The credentials used for authentication are shown in the Login Details for the specific login activity on the Configuration > General > User Audits page.

26 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Configure SAML in BeyondInsight
The following steps show how to set up BeyondInsight with a SAML generic security provider.
1. From the left sidebar, click Configuration
2. Under Authentication Management, click SAML Configuration.
3. From the SAML Identity Providers pane, click Create New SAML Identity Provider +.
4. Provide a name for the new SAML identity provider (IdP).
5. Complete the Identity Provider Settings as follows:
l Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins.
o This is useful in the case where a user accesses the SAML site access URL without providing an IdP.
o Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP’s site for authentication.
l Check Force Reauthentication to require users to authenticate with the identity provider for each BeyondInsight session. Once enabled, if BeyondInsight is logged out but the IdP still has an active session, when the user attempts to access Password Safe from a service provider initiated login, the IdP prompts the user to log in again.
l Identifier: Enter the name of the identity provider entry, normally supplied by the provider.
l Single Sign-on Service URL: Provide the SSO URL, from the provider.
l SSO URL Protocol Binding: Select either HTTP Redirect or HTTP Post as the type.
l Single Logout Service URL: Enter the SLO URL, from the provider.
l SLO URL Protocol Binding: Select either HTTP Redirect or HTTP Post as the type.
l Encryption and Signing Configuration: Check applicable boxes to enable options, as required by your service provider.
l Signature Method: Select the method, as is required by your IdP, from the dropdown.
l Current Identity Provider Certificate: Upload the identity provider certificate.
l User Mapping: Select the type of user account from the dropdown. This indicates how user claims from the SAML

27 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

provider are mapped in the BeyondInsight User database.
o None: This is the legacy type of mapping, which is not based on type of user. o Local: Select this option for local user account claims. BeyondInsight maps the user and group name. o Microsoft Entra ID: Select this option for Entra ID user account claims. When selected, BeyondInsight maps the
ObjectID attribute to the AppUser and UserGroup attributes for the user. o Active Directory: Select this option for Active Directory user account claims. If the claims are configured to pass
the SID of the user and group, BeyondInsight maps the SID for the user and group, which is preferred over mapping domain name and group name attributes.
6. The following Service Provider Settings are auto-generated by BeyondInsight: l Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction. l Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
7. Click Create SAML Identity Provider.
Once the SAML configuration is saved, a public service provider certificate is available to download. It can be uploaded to the IdP, if required.
Configure identity provider (IdP)
Below are some of the values an IdP may need:
l Audience Restriction: https://<FQDN>/eEye.RetinaCSSAML/ l SSO Service URL: https://<FQDN>/eEye.RetinaCSSAML/SAML/AssertionConsumerService.aspx l SLO Service URL: https://<FQDN>/eEye.RetinaCSSAML/SAML/SLOService.aspx l Service Provider Certificate: Generated when SAML configuration is saved.
Your IdP must provide the following attributes in the assertion:
l None: o Group: This must match the group created in BeyondInsight or imported from Active Directory / LDAP. If an Active Directory group is used, it must match the BI format of DomainGroupName. o Name: UPN, domainusername, username or EmailAddress formats are acceptable. o EmailAddress o Surname o GivenName
l Local: o Group: This is the BeyondInsight group the user must belong to and must be sent as the GroupName for each group. o Name: This is sent as the BeyondInsight username. o EmailAddress o Surname o GivenName

28 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
l Active Directory: o SecurityIdentifier: The user’s SID. o Group: This is the BeyondInsight group the user must belong to and must sent as the SID for each group. o Name: This is sent as UPN. o EmailAddress o Surname o GivenName
l Microsoft Entra ID: o ObjectID: The user’s ObjectID. Azure includes this with the assertion by default. o Group: This is the BeyondInsight group the user must belong to and must be sent as the ObjectID for each group. o Name: This is sent as UPN. o EmailAddress o Surname o GivenName
Note: EmailAddress, Surname, and GivenName are optional. All other attributes are required. Assertion requirements change based on the SAML mapping you choose when configuring SAML.

29 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Multiple identity providers
If you have added multiple IdPs to your SAML configuration, users can log in to BeyondInsight / Password Safe using the following two methods:
l IdP initiated login: the user logs in to the IdP first and launches BeyondInsight / Password Safe from there. l SP initated login: the user accesses the SP initiated URL to log in. During SP initiated logins the user is able to specify which IdP
they want to log in with; otherwise BeyondInsight / Password Safe uses the default IdP. o Default SAML SIte Access URL: https://<BeyondInsightURL>/eEye.RetinaCSSAML/login.aspx o Specific SAML Site Access URL: https://<BeyondInsightURL>/eEye.RetinaCSSAML/login.aspx?partnerIdP=<IdP EntityID>
For more information on configuring a Microsoft Entra ID SAML Provider, see “Configure Microsoft Entra ID SAML with BeyondInsight SAML” on page 33.
Configure SAML using the saml.config file
In the case where you have multiple service providers, you can configure SAML manually as outlined below.
Copy certificates from IdP
Copy the idp.cer file you received from the IdP to the following folder on the UVM: C:Program Files (x86)eEye Digital SecurityRetina CSWebSiteSAMLCertificates.
Generate or obtain a private service provider certificate (sp.pfx file)
Generate your own Self Signed certificate as follows: 1. Use PowerShell to generate a new certificate:
New-SelfSignedCertificate -Subject “BI SAML SP” -CertStoreLocation cert:LocalMachineMy Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -HashAlgorithm SHA256 KeyLength 2048 -NotAfter 1/1/2050
Note: This command requires PowerShell 5.0 or later (Windows 10 or Server 2016).
2. Make note of the thumbprint for later use, for example: 7120E0BD353429D18F9829096AB3BC9A80AF33B8. 3. Export the public key for your certificate:
Export-Certificate -Cert cert:LocalMachineMy7120E0BD353429D18F9829096AB3BC9A80AF33B8 FilePath c:certssp.der
4. Convert the certificate to base 64:

30 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Certutil.exe -encode c:certssp.der c:certssp.cer
Use a certificate obtained from a Certificate Authority as follows: Your certificate must have the following capabilities:
l Enhanced Key Usage: Client Authentication, Server Authentication l Key Usage: Digital Signature, Key Encipherment
Add the certificate to the local machine, Personal Store and add any Intermediate or Root certs to the proper stores if needed. If you want to use the service provider cert from the Certificate Store you must grant permissions to IIS to READ the Private Key:
1. Open MMC. 2. Add the Certificate SnapIn for Local Machine. 3. Explore to Personal/Certificates. 4. Right -click on your Certificate that was setup for the service provider. 5. Select All Tasks > Manage Private Keys. 6. Add the IIS user: IIS_IUSRS.
Modify saml.config file
The file is located here: C:Program Files (x86)eEye Digital SecurityRetina CSWebSiteSAML. Update the Service Provider section as follows:
l Name: Should be fully qualified domain followed by eEye.ReintaCSSAML. This is used for the Audience Restriction. l Description: Add a description. l AssertionComsumerServiceUrl: This shouldn’t need to be modified. l If you save the certificate for the SP to the certificate folder use these options:
o LocalCertificateFile: Path to the certificate o LocalCertificatePassword: Password for the PFX file l If you want to use the certificate from the cert store remove LocalCertificateFile and LocalCertificatePassword and add: o LocalCertificateThumbprint: Thumbprint of the certificate
You can remove all but your one IdP entry. The following IdP fields must be updated to your environment settings:
l Name: The name of the Provider entry, normally provided by the Provider l SingleSignOnServiceUrl: URL for SSO from IdP l SingleLogoutServiceUrl: URL for SLO from IdP l PartnerCertificateFile: Location to the public cert for the IdP
The other settings are set to what your Provider requires. Below are some common configurations for some of the common IdPs:

31 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Example saml.config
Note: This is configured for OKTA using a self signed service provider certificate.
<?xml version=”1.0″ encoding=”utf-8″?> <SAMLConfiguration xmlns=”urn:componentspace:SAML:2.0:configuration”>
<ServiceProvider Name=https://pws.mydomain.com/eEye.RetinaCSSAML/ Description=”Example Service Provider” AssertionConsumerServiceUrl=”~/SAML/AssertionConsumerService.aspx”> <LocalCertificates> <Certificate Thumbprint=”05552BAF3B8BC9675C94EDB885D4B821F3DC15DE” /> </LocalCertificates>
</ServiceProvider> <PartnerIdentityProviders>
<PartnerIdentityProvider Name=http://www.okta.com/exk1dg5hqz3LbpBIj5d7 Description=”ADFS” SignAuthnRequest=”false” SignLogoutRequest=”false” WantSAMLResponseSigned=”false” WantAssertionSigned=”false” WantAssertionEncrypted=”false” WantLogoutResponseSigned=”false” SingleSignOnServiceBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” SingleSignOnServiceUrl=https://dev-25872691.okta.com/app/dev-25872691_bi212_
1/exk1dg5hqz3LbpBIj5d7/sso/saml SingleLogoutServiceBinding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” SingleLogoutServiceUrl=https://dev-25872691.okta.com/app/dev-25872691_bi212_
1/exk1dg5hqz3LbpBIj5d7/slo/saml> <PartnerCertificates> <Certificate FileName=”Certificatesokta.cer” /> </PartnerCertificates>
</PartnerIdentityProvider> </PartnerIdentityProviders> </SAMLConfiguration>
Update host name and SAML access URL
Note: The below steps are applicable for on-premises installations only. Access URLs can also be set from the configuration area in the BeyondInsight console for both PS Cloud and on-premises installations by navigating to Configuration > Authentication Management > Single sign on site access urls.
1. Open the BeyondInsight Configuration Tool.
2. Scroll Down to SAML Access URL.

32 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
3. Update it to the fully qualified domain, followed by the file name: https://<FQDN>/eEye.RetinaCSSAML/
4. Scroll down to the Host Name field under the Web Site Information section. 5. Update it to the fully qualified domain, for example, bidev.shines.test.cloud. 6. Click Apply.
Note: The host name is the fully qualified domain name used to access BI/PS. If this is a load-balanced instance, the host name is the same on all servers.
Configure Microsoft Entra ID SAML with BeyondInsight SAML
You can integrate Microsoft Entra ID SAML with BeyondInsight SAML so that when BeyondInsight receives claims from Entra ID, it can enumerate groups for the user directly from Entra ID using the Group ID value in the claim. This allows an Entra ID user to log in to BeyondInsight using SAML authentication when the user account does not yet exist in the BeyondInsight User database. BeyondInsight adds the user to its database automatically upon successful Entra ID group enumeration and authentication into BeyondInsight. To configure the integration between Entra ID SAML and BeyondInsight SAML, log in to your Entra ID tenant and follow the instructions below to add a new enterprise application to host the SAML configuration for BeyondInsight:
1. In Azure, navigate to Enterprise Applications, and then click + New Application.

2. Click + Create your own application. 3. Provide a name.
4. Select the Integrate any other application you don’t find in the gallery (Non-gallery) option.
5. Click Create.

6. In the BeyondInsight console, create a new SAML identity provider. To complete the SAML IdP config in BeyondInsight, use the following information from the enterprise application you just created:

33 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
o In Azure, go to the SAML-based Sign-on configuration page for the application. o In the Set up <application name> section, copy the Login URL and the Entra ID Identifier and save them. o Paste them into the Identifier, Single Sign-on Service URL, and Single Logout Service URL fields in the
BeyondInsight SAML IdP configuration. 7. In Azure, open the Properties for the newly created enterprise
application. 8. From the Getting Started section, click Set up single sign-on.

9. In the Basic SAML Configuration section, provide the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) obtained from the SAML IdP you just created in BeyondInsight.
10. In the User Attributes & Claims section, click Edit to add the group claim. 11. Click + Add a group claim. 12. In the Group Claims section:
l Select which groups associated with the user to return in the claim: either Groups assigned to the application or Security Groups.
l Select Group ID from the Source attribute.
Note: If user accounts are configured in Okta, ensure GivenName, Surname, and Email attributes are set for user accounts in Okta. When these attributes are not set, the user’s name and email do not display in the user’s profile for the logged in user in BeyondInsight. If these attributes are set after the user has logged into BeyondInsight, the user must log out of BeyondInsight and log back in, to see their name and email in their user profile.
For more information on configuring a SAML IdP in BeyondInsight, see Configure SAML single sign-on for Entra ID .
Disable forms login
In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight. To disable forms login for existing users, enable this option directly on a user account as follows:
1. Click the vertical ellipsis for the user account, and then click Edit User Details.

34 TC: 12/31/2024

To disable forms login globally for newly created directory accounts:

35 TC: 12/31/2024

36 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure SAML for BeyondInsight and Password Safe using Entra ID App
Entra ID, part of Microsoft Entra, is an enterprise identity service that provides single sign-on, multifactor authentication, and conditional access to guard against a wide range of cyber security attacks. A BeyondTrust app, available in Entra ID App Gallery, provides Single Sign-On and provisioning via SAML 2.0. This app supports Remote Support and public portals, Privileged Remote Access, Password Safe, and Password Safe Cloud.

37 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Workflow
To configure BeyondInsight and Password Safe to use SAML authentication using an Entra ID you must: l Configure SAML using the Entra ID App l Configure the SAML Entra ID Provider in BeyondInsight

38 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure AD FS authentication using SAML
Active Directory Federation Services (AD FS) is Microsoft’s claim based single sign-on (SSO) solution. It allows users access to integrated applications and systems using their Active Directory (AD) credentials. AD FS uses trust relationships to allow AD to issue authentication claims for transferring user identities to the requesting application. See the below instructions for detailed steps on how to:
l Configure the trust relationship in the AD FS management console l Configure the SAML identity provider and service provider in BeyondInsight

39 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure AD FS on the identity provider server
Configuring AD FS on the identity provider (IdP) server involves creating a relying party trust in AD FS for the BeyondInsight SAML service URL, creating a rule to send the AD group membership as a claim to the relying party, and creating a rule that selects attributes from an LDAP attribute store, such as Active Directory, to send as claims to the relying party. The sections below provide detailed steps to configure each of these in AD FS.
Add a relying party trust in AD FS management
To add a relying party trust manually in AD FS on your identity provider server, follow the below steps: 1. Log in to the identify provider server as an administrator and open Server Manager. 2. In Server Manager, click Tools, and then select AD FS Management. 3. From the Actions pane, click Add Relying Party Trust.
4. On the Welcome screen, select Claims aware, and then click Start.

40 TC: 12/31/2024

5. On the Select Data Source screen, select Enter data about the relying party manually, and then click Next.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

6. On the Specify Display Name screen, enter a name in the Display name field. Below that, under Notes, provide a description for this relying party trust, and then click Next.
7. On the Configure Certificate screen, click Browse to locate and import the service provider public certificate file, and then click Next.

41 TC: 12/31/2024

8. On the Configure URL screen, check Enable support for the SAML 2.0 WebSSO protocol, enter the Relying party SAML 2.0 SSO service URL, and then click Next.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

9. On the Configure Identifiers screen, enter the Relying party trust identifier, click Add, and then click Next.

10. On the Choose Access Control Policy screen, select a policy, and then click Next.

42 TC: 12/31/2024

11. On the Ready to Add Trust screen, review the settings, and then click Next to save your relying party trust information.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

12. On the Finish screen, click Close. The Edit Claim Rules dialog box displays.

43 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Send LDAP attributes as claims
Using the Send Claims as a Custom Rule template in AD FS, you can create a rule to add the SID attribute to claims. Using the Send LDAP Attributes as Claims template allows you to select attributes from an LDAP attribute store, such as Active Directory, to send as claims to the relying party. Configuring these rules allows you to send all of the SIDs for groups as part of the claim, as well as other attributes, such as User-Principle Name. The steps for configuring each of these rule types is outlined in the sections below.
Create rule to add SID attribute
To create a custom rule to add the SID attribute to claims, follow these steps: 1. In Server Manager, click Tools, and then select AD FS Management. 2. In the AD FS navigation tree on the left, click Relying Party Trusts. 3. Right-click the selected trust, and then click Edit Claim Issuance Policy.
4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the Add Transform Claim Rule wizard.

5. On the Select Rule Template screen, select Send Claims as a Custom Rule from the Claim rule template list, and then click Next.

44 TC: 12/31/2024

6. On the Configure Rule screen, type the display name for this rule and type the following for the Custom rule:
c:[Type== “http://schemas.microsoft.com/ws/2008/06/identity/ claims/windowsaccountname”, Issuer == “AD AUTHORITY”] => issue(store = “Active Directory”, types = (“SecurityIdentifier”), query = “;objectSid;{0}”, param = c.Value);

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

7. Click Finish. 8. Click OK in the Edit Claim Issuance Policy dialog to close it and save the rule.
Create rule to send LDAP attributes claims
To create a rule to send attributes from Active Directory as claims, follow these steps:
1. In Server Manager, click Tools, and then select AD FS Management. 2. In the AD FS navigation tree on the left, click Relying Party Trusts. 3. Right-click the selected trust, and then click Edit Claim Issuance
Policy.

45 TC: 12/31/2024

4. In the Edit Claim Issuance Policy dialog box, under Issuance Transform Rules click Add Rule to start the Add Transform Claim Rule wizard.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

5. On the Select Rule Template screen, select Send LDAP Attributes as Claims from the Claim rule template list, and then click Next.

46 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
6. On the Configure Rule screen: l In the Claim rule name box, type the display name for this rule l For Attribute Store, select Active Directory from the list. l Select User-Principal-Name for the LDAP Attribute and Name as the Outgoing Claim Type. l Select User-Principal-Name for the LDAP Attribute and Name ID as the Outgoing Claim Type. l Select Token-Groups as SIDs for the LDAP Attribute and Group as the Outgoing Claim Type l Click Finish.
7. Click OK in the Edit Claim Issuance Policy dialog to close it and save the rule. 8. On the Relying Party Trusts page, right-click the relying party trust you had added for BeyondInsight, and then select
Properties. 9. Click the Signature tab. 10. Click Add, and then enter the service provider public certificate.

47 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Configure SAML on the U-Series Appliance
As an administrator, log in to BeyondInsight on the U-Series Appliance and follow the below instructions to configure SAML:
1. From the left sidebar, click Configuration 2. Under Authentication Management, click SAML Configuration. 3. From the SAML Identity Providers pane, click Create New SAML Identity Provider. 4. Provide a name for the new SAML identity provider (IdP). 5. Complete the Identity Provider Settings as follows:
l Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins.
o This is useful in the case where a user accesses the SAML site access URL without providing an IdP.
o Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP’s site for authentication.
l Check Force Reauthentication to require users to authenticate with the identity provider for each BeyondInsight session. Once enabled, if BeyondInsight is logged out but the IdP still has an active session, when the user attempts to access Password Safe from a service provider initiated login, the IdP prompts the user to log in again.
l Identifier: Enter the name of the identity provider entry, normally supplied by the provider.
l Single Sign-on Service URL: Provide the SSO URL, from the provider. l SSO URL Protocol Binding: Select either HTTP Redirect or HTTP Post as
the type. l Single Logout Service URL: Enter the SLO URL, from the provider. l SLO URL Protocol Binding: Select either HTTP Redirect or HTTP Post as
the type. l Encryption and Signing Configuration:
o Depending on IdP configuration, check any of the first three settings:
n Sign Authentication Request n Sign Logout Request n Sign Logout Response
o Check the appropriate service provider signing settings:
n Want SAML Response Signed n Want Assertion Signed n Want Assertion Encrypted n Want Logout Response Signed n Want Logout Request Signed
o Check any of the remaining miscellaneous settings as required.

48 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
l Signature Method: Select the method, as is required by your IdP, from the dropdown. l Current Identity Provider Certificate: Upload the identity provider certificate. l User Mapping: Select Active Directory from the dropdown. This indicates how user claims from the SAML provider are
mapped in the BeyondInsight User database. 6. The following Service Provider Settings are auto-generated by BeyondInsight:
l Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction.
l Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
7. Click Create SAML Identity Provider. Once the SAML configuration is saved, a public service provider certificate is available to download. It can be uploaded to the IdP, if required.

49 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure Okta SAML authentication
Configuring BeyondInsight and Password Safe to use Okta SAML authentication requires configuring the SAML application with BeyondInsight SAML information in the Okta admin portal and then configuring the SAML identity provider settings for Okta in the BeyondInsight console.
Configure SAML application in Okta
To configure a new SAML application for BeyondInsight and Password Safe in Okta, follow the below steps. 1. Log in to the Okta admin portal. 2. Click Add Application.
3. Click Create New App. 4. Select SAML 2.0 as the sign-in method.
5. Click Create.

50 TC: 12/31/2024

6. Enter the application name, and then click Next. 7. Enter the single sign on URL:
https://ServerURL/eEye.RetinaCSSAML/saml/ AssertionConsumerService.aspx
8. Check the Use this for Recipient and Destination URL box. 9. Enter the audience URI (SP entity ID):
https://<ServerURL>/eEye.RetinaCSSAML

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

10. From the Application username list, select Okta username.

SLO optional setting
11. Click Show Advanced Settings. 12. Select Enable Single Logout. 13. Fill in the Single Logout URL:
HTTPS://<FQDN>/eEye.RetinaCSSAML/SAML/SLOService.aspx
14. Fill in the SP Issuer: HTTPS://<FQDN>/eEye.RetinaCSSAML/. 15. Select the SP Public Certificate.cer certificate. 16. Click Upload Certificate.

51 TC: 12/31/2024

Configure attributes
17. For the Attribute Statements section, name and group attributes are required and must have unspecified name formats. l Set the Value for the name attribute to user.login. l Set the Value for the group attribute to DomainGroupName.
Note: Ensure the Group Attribute Statements section does not contain the group attribute.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

18. Click Next. 19. Select appropriate settings for Okta support, and then click Finish.

52 TC: 12/31/2024

Find IdP information
20. Click View Setup Instructions.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

21. Copy the Identity Provider Single Sign-On URL. Save the value to be used in the next step.
22. Copy the Identity Provider Issuer. Save the value to be used in the next step.
23. Click Download certificate.

53 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure SAML identity provider in BeyondInsight
To configure a new SAML identiy provider for Okta in BeyondInsight, follow the below steps. 1. From the left sidebar, click Configuration 2. Under Authentication Management, click SAML Configuration. 3. From the SAML Identity Providers pane, click Create New SAML Identity Provider +.

54 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

4. Provide a name for the new SAML identity provider (IdP).
5. Complete the Identity Provider Settings as follows:
l Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins.
o This is useful in the case where a user accesses the SAML site access URL without providing an IdP.
o Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP’s site for authentication.
l Check Force Reauthentication to require users to authenticate with the identity provider for each BeyondInsight session. Once enabled, if BeyondInsight is logged out but the IdP still has an active session, when the user attempts to access Password Safe from a service provider initiated login, the IdP prompts the user to log in again.
l Identifier: Enter the Okta value Identity Provider Issuer.
l Single Sign-on Service URL: Enter the Okta value Identity Provider Single Sign-On URL.
l SSO URL Protocol Binding: Select HTTP Post as the type.
l Single Logout Service URL: Enter the Okta value Identity Provider Single Logout URL.
l SLO URL Protocol Binding: Select HTTP Post as the type.
l Encryption and Signing Configuration: Check applicable boxes to enable options, based on your Okta settings. A typical configuration is shown; however, depending on your Okta settings, some configuration selections may be different.
l Signature Method: Select the method, as is required by Okta.
l Current Identity Provider Certificate: Upload the Okta X.509 certificate.
l User Mapping: Select the type of user account from the dropdown. This indicates how user claims from the SAML provider are mapped in the BeyondInsight User database.
o None: This is the legacy type of mapping, which is not based on type of user.
o Local: Select this option for local user account claims. BeyondInsight maps the user and group name.
o Microsoft Entra ID: Select this option for Entra ID user account claims. When selected, BeyondInsight maps the ObjectID attribute to the AppUser and UserGroup attributes for the user.
o Active Directory: Select this option for Active Directory user account claims. If the claims are configured to pass the SID of the user and group, BeyondInsight maps the SID for the user and group, which is preferred over mapping domain name and group name attributes.
6. The following Service Provider Settings are auto-generated by BeyondInsight:
l Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction.

55 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
l Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
7. Click Create SAML Identity Provider. Once the SAML configuration is saved, a public SP certificate is available to download. It can be uploaded to the IdP if required.
Disable forms login
In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight. To disable forms login for existing users, enable this option directly on a user account as follows:
1. Click the vertical ellipsis for the user account, and then click Edit User Details.

56 TC: 12/31/2024

To disable forms login globally for newly created directory accounts:

57 TC: 12/31/2024

58 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure Ping Identity SAML authentication
Configuring BeyondInsight and Password Safe to use Ping Identity SAML authentication involves configuring the SAML application with BeyondInsight SAML information in the Ping Identity admin portal and then configuring the SAML identity provider settings for Ping Identity in the BeyondInsight console.

59 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure SAML application in Ping Identity
To configure a new SAML application for BeyondInsight and Password Safe in Ping Identity, follow the below steps. 1. Log in to the Ping Identity admin portal. 2. Click the Add Application button, and then select New SAML Application from the menu.
3. Fill in Application Name and Description. 4. Set Category to Other, and then click Continue to Next Step.

60 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
5. Set the following: l Set Assertion Consumer Service (ACS) to: l Set Entity ID to: https://<ServerURL>/eEye.RetinaCSSAML/ l Set Single Logout Binding Type to Redirect. l Upload Primary Verification Certificate (use SP Public Certificate.cer from WebSiteSAMLCertificates). The certificate is automatically generated when the BI SAML configuration is saved. l Click Continue to Next Step.
Note: After setting up SAML configuration in the BeyondInsight console, you must download the certificate from the configured SAML identity provider in BeyondInsight. The steps are detailed in the next section.
6. Add the following attributes, and then click Save & Publish: l Group: Check the As Literal box. This must match the group created in BeyondInsight. l Name (required). l Email (optional). l Surname (optional). l GivenName (optional).
Note: The following is applicable only to BI version 6.3.1. It is not required for 6.4.4 or later releases. In 6.4.4 and later releases, the user is automatically logged in to Password Safe, and can then navigate to BeyondInsight, if they have the proper permissions. To create an application that goes to Password Safe when IdP-initiated login is used, add a new attribute called Website. When the value of Website is set to Password Safe, the user is logged in to Password Safe. If the attribute is not present or is set to anything other than Password Safe, the user will be directed to BeyondInsight.
7. Download the Signing Certificate. 8. Download SAML Metadata. 9. Click Finish.

61 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Configure SAML identity provider in BeyondInsight
To configure a new SAML for Ping Identity in BeyondInsight, follow the below steps.
1. From the left sidebar, click Configuration
2. Under Authentication Management, click SAML Configuration.
3. From the SAML Identity Providers pane, click Create New SAML Identity Provider +.
4. Provide a name for the new SAML identity provider (IdP).
5. Complete the Identity Provider Settings as follows:
l Check the Default Identity Provider option if you have more than one IdP for the same service provider (SP), and would like this IdP to be used as default for SP initiated logins.
o This is useful in the case where a user accesses the SAML site access URL without providing an IdP.
o Also, when a user clicks the Use SAML Authentication link from the BeyondInsight login page, they are redirected to the default IdP’s site for authentication.
l Check Force Reauthentication to require users to authenticate with the identity provider for each BeyondInsight session. Once enabled, if BeyondInsight is logged out but the IdP still has an active session, when the user attempts to access Password Safe from a service provider initiated login, the IdP prompts the user to log in again.
l Identifier: Enter the Ping Identity value Identity Provider Issuer.
l Single Sign-on Service URL: Enter the Ping Identity value Identity Provider Single Sign-On URL.
l SSO URL Protocol Binding: Select HTTP Post as the type.
l Single Logout Service URL: Enter the Ping Identity value Identity Provider Single Logout URL.
l SLO URL Protocol Binding: Select HTTP Post as the type.
l Encryption and Signing Configuration: Check applicable boxes to enable options, based on your Ping Identity settings. A typical configuration is shown; however, depending on your Ping Identity settings, some configuration selections may be different.
l Signature Method: Select the method, as is required by Ping Identity.
l Current Identity Provider Certificate: Upload the Ping X.509 certificate.
l User Mapping: Select the type of user account from the dropdown. This indicates how user claims from the SAML provider are mapped in the BeyondInsight User database.
o None: This is the legacy type of mapping, which is not based on type of user.
o Local: Select this option for local user account claims. BeyondInsight maps the user and group name.
o Microsoft Entra ID: Select this option for Entra ID user account claims. When selected, BeyondInsight maps the ObjectID attribute to the AppUser and UserGroup attributes for the user.

62 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
o Active Directory: Select this option for Active Directory user account claims. If the claims are configured to pass the SID of the user and group, BeyondInsight maps the SID for the user and group, which is preferred over mapping domain name and group name attributes.
6. The following Service Provider Settings are auto-generated by BeyondInsight: l Entity ID: This is the fully qualified domain name, followed by the file name: https://<serverURL>/eEye.RetinaCSSAML/. This is used for audience restriction. l Assertion Consumer Service URL: The HTTPS endpoint on the service provider where the identity provider redirects to with its authentication response. .
7. Click Create SAML Identity Provider.
Disable forms login
In environments where SAML, smart card, or claims-aware is configured, we recommend enabling the Disable Forms Login authentication option to disallow users from using the standard login form in BeyondInsight. To disable forms login for existing users, enable this option directly on a user account as follows:
1. Click the vertical ellipsis for the user account, and then click Edit User Details.

63 TC: 12/31/2024

To disable forms login globally for newly created directory accounts:

64 TC: 12/31/2024

65 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Configure Password Safe and Ping Identity for PingOne
Using the PingOne Application Catalog, leverage the Password Safe app to configure the integration between Password Safe or Password Safe Cloud and PingOne.
Configure Password Safe App in PingOne Application Catalog
1. Access the Application Catalog for your Ping Identity environment, and search for BeyondTrust.

2. Click the + sign next to BeyondTrust Password Safe Cloud application.
3. In the Instance Name box, enter the unique part of your instance URL, and then click Next.
4. On the Map Attributes page, add a group. The Group attribute is mandatory and corresponds to the group that will be included in the SAML Assertion for users. In this guide, we configure a static value that is the same for all users accessing Password Safe using this application. Optionally, you can map this attribute to a Ping user attribute.
5. Click the gear icon to open the Expression Builder for the Group attribute. Add a Password Safe group name within double-quotes, and then click Save.

66 TC: 12/31/2024

6. The Map Attributes page will look similar to the screen capture shown. Click Next. You can use access control groups in PingOne to allow access to the app. In this scenario, access is open to all users.
7. Click Save. The Connection Details page is displayed.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

8. To configure the SAML identity provider in Password Safe, you need: Issuer ID, Single Signon Service URLs, and the certificate. On the Connection Details page, copy the Issuer ID and Single Signon Service URLs to use later.
9. Click Download Signing Certificate. You will import the certificate in Password Safe.

67 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Create a SAML identity provider in BeyondInsight
1. On the SAML configuration page for PingOne, copy the Identifier (Issuer ID) and Single Sign-On Service URL values from the previous procedure.
2. Import the certificate downloaded from PingOne in the previous procedure.

3. Save the SAML configuration settings. PingOne users can now log on to Password Safe using single sign-on.

68 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
If an account does not already exist in Password Safe, then the SAML assertion sent by PingOne creates the account. The account is added to the group configured on the Attribute Mapping page.

69 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

70 TC: 12/31/2024

71 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Role-based access in BeyondInsight
BeyondInsight offers a role-based delegation model so that you can explicitly assign permissions to groups on specific product features based on their role. Users are provisioned based on the permissions of their assigned groups. A user must always belong to at least one group that has permissions assigned to be able to log in to BeyondInsight and Password Safe. You can create BeyondInsight local groups, or you can use existing Active Directory, Entra ID, or LDAP groups.
Note: By default, an Administrators user group is created. The permissions assigned to the group cannot be changed. The user account you created when you configured BeyondInsight is a member of the group.
Create and configure groups
Create user groups and user accounts so that your BeyondInsight administrators can log in to BeyondInsight. When a user is added to a group, the user is assigned the permissions assigned to the group. You can create BeyondInsight local groups, as well as add Active Directory groups, add Entra ID groups , and add LDAP groups in BeyondInsight from the Configuration > Role Based Access > User Management page.

You can filter the groups displayed in the grid by type of group, name of the group, group description, and the date the group was last synchronized.
Tip: By default, the first 100 groups are displayed per page. You can change this by selecting a different number from the Items per page dropdown at the bottom of the grid.

Note: A directory credential is required for querying Active Directory (AD), Entra ID, and LDAP. It is also required for adding AD, Entra ID, and LDAP groups and users in BeyondInsight.

72 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Note: Before you can create an Entra ID credential, you must first register and configure permissions for an application in the Entra ID tenant where the user credentials reside.

73 TC: 12/31/2024

74 TC: 12/31/2024

75 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

76 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Edit a directory credential
1. From the Directory Credentials grid, click the vertical ellipsis for the credential, and then select Edit.

77 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Note: To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

78 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Register and configure an application in Entra ID
Before you can create Entra ID credentials and add Entra ID groups and users into BeyondInsight, you must first register and configure an application in the Entra ID tenant where the user accounts reside. The below steps walk through creating a registered application in Entra ID, creating a client secret for the registered app, and configuring API permissions for the registered app.
Create a registered application in Entra ID
Sign into Azure and connect to the Entra ID tenant where the credentials you wish to add into BeyondInsight reside. Then follow these steps:
1. On the left menu, select App registrations. 2. Click + New Registration. 3. Under Name, enter a unique application name. 4. Under Supported account types, select Accounts in this
organizational directory only. 5. Click Register.

Create a client secret for the registered app
1. Select the newly created app from the list of App Registrations (if not already visible). 2. Select Certificates & secrets from the left menu. 3. Click + New Client Secret. 4. Provide a Description and appropriate Expiry. If you select 1 or 2
years, the directory credential must be refreshed in BeyondInsight with a new client secret on the anniversary of its creation. 5. Click Add.

79 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
6. Copy the client secret and store it in a safe place. It is required when creating directory credentials for Entra ID in BeyondInsight. Note: This is the only time this client secret value is displayed.
Assign API permissions to the registered application
1. Select the newly created app from the list of App Registrations 2. Select API Permissions from the left menu. 3. Click + Add a permission. 4. Click Microsoft Graph. 5. Click Application Permissions. 6. Search for User.Read.All and check the box in the search results.
7. Search for Group.Read.All and check the box in the search results. 8. Click Add permissions.
9. Search for Domain.Read.All and check the box in the search results.
10. Click Add permissions.

80 TC: 12/31/2024

11. Click Grant Admin Consent for <directory name> to give consent to the app to have those permissions you just added.
12. Click Yes to confirm.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Now that your registered app is created, has a client secret, and has API permissions assigned, select Overview from the left menu and copy the Application (client) ID and the Directory (tenant) ID. Store these in a safe place as these are required when creating directory credentials for Entra ID in BeyondInsight.

For more information on creating and editing directory credentials, see create and edit directory credentials.

81 TC: 12/31/2024

82 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Create a BeyondInsight local group
To create a local group in BeyondInsight, follow the below steps: 1. From the left sidebar, click Configuration. 2. Under Role Based Access, click User Management. 3. From the Groups tab, click + Create New Group.

4. Select Create a New Group.
5. Enter a Group Name and Description for the group. 6. The group is set to Active by default. Check the box to deactivate it,
if you prefer to activate it later. 7. Click Create Group.

8. Assign users to the group:
l Under Group Details, select Users. l From the Show dropdown list, select Users not assigned. l Filter the list of users displayed in the grid by Type,
Username, Name, Email, and Domain, if desired.

l Select the users you wish to add to the group, and then click Assign User above the grid.

83 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Note: By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group.
Note: When a local user logs in to BeyondInsight for the first time using SAML authentication, BeyondInsight provisions their account by mapping it to the groups assigned to their account. For releases prior to 21.3, and for upgrades to the 21.3 release, if the user account’s group membership has changed (in the SAML claims provided) upon subsequent logins, BeyondInsight does not deprovision the user by removing them from the groups that were initially mapped to their account. Instead, BeyondInsight maps the user to any newly assigned groups, in addition to the groups their account is already mapped to. You can configure BeyondInsight to synchronize group membership each time a local user logs in using SAML, as follows:
1. Navigate to Configuration > Authentication Management > Authentication Options. 2. Under SAML Logon for Local Users, toggle the Enable Group Resync option to enable it. For new installs of release 21.3 and later releases, this option is enabled by default.

84 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Add an Active Directory group
Active Directory (AD) group members can log in to the management console and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.
Tip: The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.
Note: AD users must log in to the management console at least once to receive email notifications. To create an Active Directory group in BeyondInsight:
1. From the left sidebar, click Configuration. 2. Under Role Based Access, click User Management. 3. From the Groups tab, click + Create New Group.
4. Select Add an Active Directory Group.

85 TC: 12/31/2024

5. Select a credential from the list.
Note: If you require a new credential, click Create New Credential to create one. The new credential is added to the list of available credentials.
6. If the Domain field is not automatically populated, enter the name of a domain or domain controller.
7. After you enter the domain or domain controller credential information, click Search Active Directory. A list of security groups in the selected domain is displayed.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

Note: The default filter is an asterisk (*), which is a wild card filter that returns all groups. For performance reasons, a maximum of 250 groups from Active Directory is retrieved.
8. Set a filter on the groups to refine the list, and then click Search Active Directory.
Example: Sample filters: l a* returns all group names that start with “a” l *d returns all group names that end with “d” l *sql* returns all groups that contain “sql” in the name

86 TC: 12/31/2024

9. Select a group, and then click Add Group.

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE

10. The group is added and set to Active but not provisioned or synchronized with AD. Synchronization with AD to retrieve users begins immediately.
11. Once the group has been synced with AD, you can view the users assigned to the group by selecting Users from the Group Details pane. Tip: Use the filters above the grid to narrow down the list of users displayed in the grid by Type, Username, Name, Email, or Domain, or to show users not assigned to the group.
Note: By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group.
For more information on creating and editing directory credentials, see create and edit directory credentials.

87 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Propagate domain changes to group members
Domain changes can be propagated to all users in a group by enabling the Propagate this change to all group members option for the group. By default, this is set to OFF. When enabled, changes to the preferred domain controller at the group level are applied to all group members. When creating a new group, we advise turning this setting on by editing the new group details. This ensures that all users in the new group get a preferred domain controller from the initial setup of the group.

88 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Add an Entra ID group
Entra ID group members can log in to the management console using SAML authentication and perform tasks based on the permissions assigned to the group. Upon logging into BeyondInsight, users can select a domain from the Log in to list on the Login page.
Tip: The Log in to list is only displayed on the Login page when there are either AD or LDAP user groups created in the BeyondInsight console. The Log in to list is displayed by default, but may be disabled / enabled by an admin user by toggling the Show list of domains/LDAP servers on login page setting from Configuration > System > Site Options page.
Note: AD users must log in to the management console at least once to receive email notifications. Direct Connect does not support using SAML as an authentication method. Therefore, Direct Connect is not available with Entra ID accounts. Create an Entra ID group in BeyondInsight, as follows: 1. From the left sidebar, click Configuration. 2. Under Role Based Access, click User Management. 3. From the Groups tab, click + Create New Group.

4. Select Add a Microsoft Entra ID Group. 5. Select a credential from the list.
Note: If you require a new credential, click Create a New Credential to create a new credential. The new credential is added to the list of available credentials.
6. Click Search Microsoft Entra ID. A list of security groups displays.

89 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Note: For performance reasons, a maximum of 250 groups from Entra ID is retrieved. The default filter is an asterisk (*), which is a wildcard filter that returns all groups. Use the group filter to refine the list. 7. Set a filter on the groups that are to be retrieved, and then click Search Microsoft Entra ID. Example: Sample filters:
l a* returns all group names that start with a. l *d returns all group names that end with d. l *sql* returns all groups that contain sql in the name. 8. Select a group, and then click Add Group.

9. The group is added and set to Active but not provisioned or synchronized with Entra ID. Synchronization with Entra ID to retrieve users begins immediately.
10. Once the group has been synced with Entra ID, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section and then using the filters.

Note: By default, new groups are not assigned any permissions. You must assign permissions on features and Smart Groups after creating a new group. Note: To use Entra ID credentials for logging into BeyondInsight, the accounts must use SAML authentication.

90 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
For more information on creating and editing directory credentials, see create and edit directory credentials.

91 TC: 12/31/2024

BEYONDINSIGHT AND PASSWORD SAFE 24.2 AUTHENTICATION GUIDE
Add an LDAP group
LDAP group members can log in to the BeyondInsight console and perform tasks based on the permissions assigned to the group. The group can authenticate agai

Documents / Resources

BeyondTrust 24.2 Beyond Insight and Password Safe [pdf] User Guide
24.2, 24.2 Beyond Insight and Password Safe, 24.2, Beyond Insight and Password Safe, Password Safe, Safe

References

User Manual

BeyondTrust 24.2 Beyond Insight and Password Safe User Guide

24.2 Beyond Insight and Password Safe

Product Information

Specifications

Product Usage Instructions

Configure RADIUS Two-Factor Authentication

Configure the RADIUS Server

Frequently Asked Questions (FAQ)

Q: What are the supported authentication methods for
BeyondInsight and Password Safe 24.2?

Documents / Resources

References

Leave a comment

Cancel reply