Configure BeyondTrust PowerBroker Password Safe to Interoperate with Okta via RADIUS

Okta and BeyondTrust interoperate through either RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. For each Password Safe deployment, you can assign one or more authentication providers. Each RADIUS authentication profile maps to to a group of users via a filter (All Users, All Local Users, All DomainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Users, Domain Contains, etc). Using RADIUS, Okta’s agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. translates RADIUS authentication requests from BeyondInsight, the BeyondTrust web application and console, into Okta API calls.

This guide details how to configure BeyondTrust PowerBroker Password Safe to use the Okta RADIUS Server Agent.

If you want to integrate with Okta via SAML 2.0, add the BeyondTrust SAML appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta by navigating to the Applications tab, select Applications > Add Application, search for BeyondTrust, then click Add.

For the BeyondInsight SAML configuration, see the instructions on your Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console on the Sign On page for the BeyondInsight configuration.

There are five parts to the configuration, including optional settings and troubleshooting help; a list of additional resources is also provided.