Context and Objectives
Password Safe and Password Safe Cloud allow for multiple SAML Identity Providers or Configurations. Organizations want to be able to automate provisioning of Password Safe accounts and permissions, while providing an efficient User Experience to different categories of end-users, starting with Single Sign-On or SSO. This guide provides a comprehensive combination of integrations to achieve the goals below, featuring Microsoft Entra ID for SSO and SailPoint Identity Security Cloud or ISC for provisioning.
• Leverage Entra ID for SSO
• Leverage SailPoint ISC for Access Governance
• Provide all End-Users an effective User Experience
Password Safe and Entra ID - SSO
We want to be able to provision accounts and permissions via the Password Safe SCIM API, and allow provisioned Users to be able to Single Sign-On via Entra ID.
First we need to login to Entra ID as an Administrator, and navigate to Enterprise Applications. Click New Application.
Search for and select BeyondTrust SAML.
Configure Single Sign-On for the new BeyondTrust SAML Application. Identifier and Reply URL will be obtained from Password Safe SAML Configuration below.
Configure Attributes and Claims. We are using user.userprincipalname for Email, but this can be changed to another attribute like mail, as long as it contains the email address for Users. We are also using user.mailnickname for Name ID.
The EntraIDUsers Group we are including in the Assertion is not granting any permissions into Password Safe.
For all attributes, set Name format to Unspecified.
We need to download the Certificate (Base64) so we can import it within the Password Safe SAML Configuration. We also need to copy the Login URL and Microsoft Entra Identifier into the SAML Configuration.
Login to the Password Safe web console (BeyondInsight) as an administrator, and navigate to Configuration, SAML Configuration.
Create a new SAML Identity Provider.
Import the Certificate and copy the Login URL into Single Sign-On Service URL. Also copy the Microsoft Entra Identifier into Entity ID. The Entity ID and ACS URL are available under Service Provider Settings.
Navigate to Configuration, Authentication Options. Uncheck the box for Enable Group Resync and click Update SAML Logon for Local Users Options.
Note: Unchecking Enable Group Sync allows for SailPoint to be able to provision Groups for the Users while these Groups do not need to be present within the SAML Assertion coming from Entra ID. With the box checked, Groups that are not part of the SAML Assertion will be de-provisioned, or removed, a Sign-On time.
Note: Groups that are listed in the SAML Assertion are still added even if Enable Group Resync is unchecked, so make sure only authorized Entra ID users can modify the Entra ID SAML Assertion for the Password Safe Entra ID Enterprise Application.
Entra ID Single Sign-On
The recommended strategy is to use an Entra ID Group to allow specific users to be able to see the Password Safe SSO App within their Entra ID App portal.
Access to the Password Safe SAML SSO App is granted via a Group.
Users that are members of the Entra ID Password Safe App Group can see the App via https://myapps.microsoft.com
SCIM and provisioning
We need to create a Group and User to allow SailPoint to use the SCIM API for provisioning and visibility.
Features that are required to configure and allow SailPoint to access the SCIM API for Password Safe.
For each Managed Account Smart Group, we need to assign Read-Only permission. A Password Safe role is not required.
IMPORTANT: Only Smart Group/Rule with Category = Managed Accounts are manageable via the SCIM API. For Category = Platforms or Custom, while functionally equivalent to Managed Accounts, they are not visible via the SCIM API today.
We need to create and add a User to the Group.
We need to navigate to Configuration then Connectors and create the SCIM Connector. Only 1 SCIM Connector can be created for each instance of Password Safe.
We need to authenticate to Password Safe as the SCIM Service Account to obtain the Client ID and Client Secret. Each User account has its own Client ID and Client Secret.
Note: While we can also use Refresh Token, for testing it is recommended to use Client Credentials.
SailPoint Identity Security Cloud and Provisioning
We need to have a configured Entra ID Source or Connector in SailPoint to be able to provision Users into Entra ID and the Password Safe App Group. Refer to SailPoint documentation for configuring and deploying the Entra ID Source or Connector: https://documentation.sailpoint.com/connectors/microsoft/entra_id/help/integrating_entra_id/introduction.html
Entra ID: Password Safe App Group after aggregation.
Entra ID Source or Connector in SailPoint ISC with Access Profile for Password Safe App Group.
The Access Profile contains the Password Safe App Group entitlement.
SailPoint ISC Source for Password Safe (SCIM)
Note: For instructions specific to SailPoint IdentityIQ, see: Pardon Our Interruption
Login to SailPoint ISC as an administrator, navigate to Connections/Sources, and create a New Source.
We can search for BeyondTrust.
Provide the URLs and OAuth Client Credentials. Click Save.
You should be able to successfully Review and Test at this point.
Configure an Account Correlation rule, for example using Work Email.
Modify the Create Account form to Generate a Random password.
At this point, you are ready to aggregate Accounts and Entitlements (Groups).
Set a Password Safe Group as Requestable.
Create an Access Profile for each Password Safe Group you want to make requestable.
Provisioning example – Request Center and Applications
Note: While it is possible to add the Access Profiles to Roles, we will use Applications for testing the configuration.
We need 2 Applications to test the configuration: One for the Entra ID Account and Password Safe App, and one for the Local Account and Password Safe Group.
Application for the Entra ID Account and Password Safe App.
Application for the Password Safe Local Account and Group.
Now let’s go to Request Center and request both Applications for a test user that does not have a Password Safe or Entra ID account yet.
Request Center: Request for Others.
Add Entra ID Application to the request.
Add Application for Password Safe Group to the request.
Review Request for the 2 Applications then click Submit Request.
Request Center: View Requests shows both requests completed successfully.
Now we can login to Entra ID myapps as the test User and try to access Password Safe.
Entra ID myapps portal for test User.
Our test User should be able to Single Sign-On into Password Safe.
As a Password Safe administrator, we can see the test User has the right Groups assigned.
We can see that the test User has been created and added to the correct Groups.
Troubleshooting
If you run into some issues, it is possible to access the log for via Configuration then System Event Viewer:
System Event Viewer.