Description
We’re excited to announce the Credential Provider integration for BeyondTrust Password Safe Cloud (Secrets Management)! This new integration helps facilitate credential cycling, making your secrets management smoother and more secure.
Problem
Credential rotation is the practice of regularly changing and updating credentials to reduce the risk of unauthorized access. By rotating credentials on a regular basis, organizations can limit the window of opportunity for attackers to exploit compromised credentials.
Few reasons to rotate credentials regularly include:
- Mitigating the risk of credential theft
- Compliance requirements
- Minimizing the impact of a breach
- Enhancing security posture
Solution
Credential Provider Integration, a framework that supports fetching the latest credentials “always” from Privilege Access Management systems so that sources can carry out their interaction with target systems, ensures that the organization meets the security needs.
This release aims to provide the Credential Provider Integration for BeyondTrust Password Safe Cloud (Secrets Management).
Additional Resources
For more details, refer to BeyondTrust Password Safe Cloud (Secrets Management) Credential Provider Documentation
Important Dates
General Availability: June 17, 2025
1 Like
Great news. thank you @deepesh_kumar for delivering this much-anticipated integration!
The new Credential Provider integration with BeyondTrust Password Safe Cloud is a crucial advancement in secure secrets management. As credential rotation remains a key best practice for reducing exposure to credential-based threats, this integration enables organizations to seamlessly fetch the most up-to-date credentials at runtime — reducing manual effort and significantly enhancing security posture.
As a next step, it would be great to see similar integrations planned for other credential management solutions such as LastPass, CyberArk WPM (Workforce Password Management), and other widely adopted secrets vaults.
Definitely @TheOneAMSheriff . Could you help us by creating an Idea on this via the SailPoint Ideas Portal?
Absolutely @deepesh_kumar GOV-I-4497 created in the ideas portal for the same, thank you.
Hello All,
Has anyone tried to fetch secrets from secretsafe instead of managed passwords? How can we access things like Client IDs, Client secrets, refresh tokens or static passwords that are only stored in secret safe and are not being rotated? Is there any enhancements open for that?
Hi - we do not support SecretSafe and are only supporting PasswordSafe as recommended by OEM.
@deepesh_kumar Thanks for your response. For Beyondtrust integration what host URL do we use? I have tried just the cloud URL https: https://.ps.beyondtrustcloud.com/ and the API URL https://.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/ but everytime I am getting the same error of “No matching credential provider found with given name”. I have tested the credentials via Postman and it works.
Looking for any leads here.
@parbodhverma : I recommend using the SailPoint support to resolve this issue.
Thank you Deepesh, but I do not think the support engineers has the answer on how the setup should look like and they are almost always pointing to PS for next steps.
I think there is an opportunity to make the credential provider better by updating the documentation to clearly describe what endpoint to use on BT side and maybe add a test connection/health check functionality to it. An idea already exists to request for this enhancement - Test Connection as part of External | SailPoint Ideas Portal
Hi @parbodhverma : Thanks for the input. While we can look at improving the document, however, we already know about the “Test Connection” limitation. The issue with implementing that is, that, Cred Providers do not respond till you make a transaction.
Hi @parbodhverma : The error you are getting(No matching credential provider found with given name) is because you have not defined the Credential Provder name or it is mispelled in the secret path defined to fetch the credentials for a particualr source. The Host URL is the instance URL which you use normally to connect to CLoud Instance.
Ex: secrets://{CredentialProviderName}/{SecretURL}.
The highlighted text should have some value and it should match with the name of the Credential Provider.
HI @deepesh_kumar, Not to solution anything here but the BeyondTrust API requires to authenticate to the tenant before making the call. Maybe thats a way to test the connection REST API GUIDE | PS
Hi @Rajat_Majumder
I do feel that it could be the same issue but my credentials provider name is very simple just 2 letters and I have URL encoded it as well. The issue is probably not the credential provider name, unless there are some restrictions to the naming that are not mentioned in the documentation.
This has been working now. Thank you everyone for their help.