Configure external Identity Provider integration

This topic describes how to configure Remote Access integration with an external Identity Provider.

Overview

Remote Access can integrate with external identity providers that use SAML protocol, so that company users can continue to access their applications via your organization's existing SSO, while accessing PAM - Self-Hosted via Remote Access as well.

Enable/disable IdP integration

By default, the external IdP is enabled after you set and save the external Identity Provider configuration.

To disable the external Identity Provider integration:

In the Remote Access portal, click Settings > User management sources , and select External IdP.
Set the Enable integration toggle to off. Users cannot authenticate to Remote Access via the external IdP until you enable it again.

Configure service provider properties

This section describes the service provider properties that you configure in the external identity provider and in Remote Access.

Step 1: Enter the required Remote Access settings in the external IdP

Use one of these methods to copy the properties you need to configure in the external IdP .

Copy or download an XML file
Manually copy required URLs and settings

The XML file contains all the URLs and settings that are required to integrate Remote Access with the external IdP.

Copy or download the XML files.
Set the following user attributes & claims:

Property	Value
sAMAccountName	sAMAccountName
emailaddress	Email Address
objectidentifier	Object ID

Copy the following details into the relevant fields in the external IdP configuration page.

URL type	Details
Audience (Identity ID)	Depending on the IdP, this may also be known as the Audience URI.
Assertion Consumer Service	Depending on the IdP, this may also be known as the Single Service Sign-On URL.

Property	Value
Name ID	UserPrincipalName This setting defines the identifier that the external IdP passes to Remote Access to identify the user.
Signed Authentication Request	False
Signed Assertion	True
Encrypted Assertion	False
HTTP-POST Binding Response	True
HTTP-POST Binding for AuthnRequest	True

Property	Value
sAMAccountName	sAMAccountName
emailaddress	Email address
objectidentifier	Object ID

Step 2: Configure the external Identity Provider parameters in Remote Access

Upload metadata
Manually copy the metadata

The external IdP metadata includes all the URLs and certificate details that are required to integrate the external IdP with Remote Access.

Click Upload metadata.

Paste or type the external IdP Single Sign On URL.
Upload the IdP server certificate. This must be base-64 encoded x.509, with a .cer or .pem extension.

Step 3: Set enforcement

Specify whether user login is only via the IdP or also allowed using a QR scan.

Setting	Description
Enforce user login only via external IdP authentication.	Toggle between the following: Allow login via external IdP or QR authentication Allow login only via external IdP Default: Off

Setting

Description

Enforce user login only via external IdP authentication.

Toggle between the following:

Allow login via external IdP or QR authentication

Allow login only via external IdP

Default: Off

Set user credentials re-authentication

You can set a time interval for when users need to re-authenticate their user credentials.

Default is set to every 30 days.