Configure BeyondTrust PowerBroker Password Safe to Interoperate with Okta via RADIUS
Okta and BeyondTrust interoperate through either RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. 2.0. For each Password Safe deployment, you can assign one or more authentication providers. Each RADIUS authentication profile maps to to a group of usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. via a filter (All Users, All Local Users, All DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Users, Domain Contains, etc). Using RADIUS, Okta’s agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. translates RADIUS authentication requests from BeyondInsight, the BeyondTrust web application and console, into Okta API calls.
This guide details how to configure BeyondTrust PowerBroker Password Safe to use the Okta RADIUS Server Agent.
If you want to integrate with Okta via SAML 2.0, add the BeyondTrust SAML appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta by navigating to the Applications tab, select Applications > Add Application, search for BeyondTrust, then click Add.
For the BeyondInsight SAML configuration, see the instructions on your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console on the Sign On page for the BeyondInsight configuration.
There are five parts to the configuration, including optional settings and troubleshooting help; a list of additional resources is also provided.
Configuring PowerBroker Password Safe to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.
- Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity
|Okta RADIUS Agent||Okta Identity Cloud||tcp/443
|Configuration and authentication traffic|
|BeyondTrust PowerBroker Password Safe||Okta RADIUS Agent||udp/1812 RADIUS (actual port number defined in next step)||RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUSs Agent (server)|
In this step, add the BeyondTrust MFA (RADIUS) app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:
- Authentication configuration
Application Username Format
Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
In Okta, navigate to Applications > Applications> Add Application, search for BeyondTrust MFA (RADIUS), and then click Add Application
- Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Beyond Trust MFA (RADIUS) app.
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
In Part 3 you define a RADIUS Server Profile, and assign the profile to users, in BeyondInsight.
Sign in to the BeyondInsight console with sufficient privileges.
Navigate to Configuration > MULTI-FACTOR AUTHENTICATION > RADIUS, and then click + to define a new RADIUS server. The screen shown below opens:
Enter an Alias that is unique and appropriate, and enter the following server settings, as shown above.
- Host (Okta RADIUS Agent Server)
- Authentication Mechanism: PAP
- Authentication Port
- Authentication Request Timeout (sec): 30
- Shared Secret
- Initial Request and Initial Prompt (if needed)
Navigate to Configuration > USERS & GROUPS, then select the Group that contains the test user, then select the user. Configure RADIUS Authentication for the test user as shown below:
In Part 4 we access BeyondInsight using our test user.
Use a browser to access BeyondInsight and provide the credentials for the test user, as shown below:
Select the authentication method; for example, option 2 for Okta Verify Push, as shown below:
Once you approve the request on your Okta Verify mobile application, you should be allowed in BeyondInsight as the test user, as shown below:
In Part 5 we briefly discuss troubleshooting options
Within BeyondInsight as an administrator, navigate to Configuration > Services, as shown below:
You can view the BeyondInsight Web Site logs here, as shown below:
Access the Okta RADIUS Agent logs, as shown below:
- Okta Documentation - Configuring Sign On Policies
BeyondTrust customer portal - https://beyondtrustsecurity.force.com/customer/login