I'm having a use case issue: we bring the group and user directly from AD. When I log in through Workforce, it takes a long time and doesn't inject the credentials. I don't know if the tool only supports local users? I have that question.
Regards.
Question
Does Workforce support SAML?
+1Yes, BeyondTrust Password Safe, Workforce Passwords module, does support SAML-based authentication.
Key Details:
-
SAML 2.0 Support: BeyondTrust Password Safe integrates with identity providers like Azure Entra ID and Arculix by SecureAuth using SAML 2.0 for single sign-on (SSO) and provisioning.
-
IdP-Initiated Integration: You can configure BeyondTrust Password Safe for IdP-initiated SAML login, allowing users to authenticate via a centralized identity provider and access Password Safe seamlessly.
-
Workforce Passwords Compatibility: Workforce Passwords, an add-on to Password Safe, also works with SAML. However, it's important to ensure that the Password Safe URL configured in Workforce Passwords matches the SAML redirect URL. If they don’t match, login issues may occur
Here's a breakdown of what might be causing the slow login and credential injection issues in BeyondTrust Workforce Passwords, especially when using Active Directory (AD) users and SAML authentication:
AD Integration vs Local Users
- BeyondTrust Password Safe fully supports Active Directory integration. You can bring in users and groups directly from AD.
- However, login performance can degrade if an AD user belongs to more than 120 groups, due to Kerberos token size limitations. This can cause authentication failures or delays
- To fix this, you may need to increase the MaxTokenSize in the Windows registry on the BeyondInsight server.
SAML Authentication Considerations
- Workforce Passwords supports SAML 2.0, but the Password Safe URL must match the SAML redirect URL exactly. If they don’t match, login via the browser extension may fail or hang
- If you're using Pathfinder or Password Safe Cloud, ensure the correct portal is selected in the browser extension.
Credential Injection Troubleshooting
- Workforce Passwords uses a browser extension (Chrome, Edge, Firefox) to inject credentials into web apps.
- If credentials aren’t injecting:
- Make sure the extension has permission to access data for all websites.
- Check that the URL saved in the credential matches the login page URL.
- If multiple credentials exist for the same URL, you may need to manually select one.
- Try manual sync in the extension if new secrets aren’t appearing.
Suggestions to Improve Performance
-
Registry Fix for AD Group Limit:
- Increase
MaxTokenSizeto65535in the registry as described here.
- Increase
-
Verify SAML Configuration:
- Double-check the SAML redirect URL and ensure it matches the Password Safe URL used in the browser extension.
-
Extension Setup:
- Ensure the Workforce Passwords extension is installed and configured correctly.
- Enable “Access your data for all websites” in the extension settings.
please let me know if this helps?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.