Skip to main content

Ping Identity is a leading provider of seamless and secure digital experiences. Ping Identity and ForgeRock have joined forces to deliver more complete identity solution for our customers and partners.

 

This documentation describes the steps required to configure the native PingOne Advanced Identity Cloud connector for BeyondTrust Password Safe.

 

Pre-requisites:

  • PingOne Advanced Identity Cloud version 14761.0 and above;
  • BeyondTrust Password Safe version 24.1.1.268 and above.

 

Capabilities:

  • Account Discovery;
  • Group Discovery;
  • Account Creation;
  • Add/Remove Group for Account;
  • Enable/Disable Account;
  • Delete Account;
  • Update Account.

 

Configuration – Password Safe

 

Create a Group for SCIM Service Accounts, and change access to Full Control for the Features as shown above.
For each Managed Account Smart Group, add Read Only permission.

Note: This is a manual step that is required every time a new Managed Account Smart Group is created.  Only Managed Account Smart Group of the Category “Managed Account” are visible via the SCIM today.  Category of “Platform” or “Custom” are not visible.

 

Note: The permissions to Managed Account Smart Group is not needed for current version of PingOne Advanced Security Cloud today but will be leveraged in upcoming version for expanded visibility.

Create a new User and assign to the Group.
Login as the Service Account and access the Connector. Recycle the Client Secret and write down both Client ID and Secret.

Note: Client Credentials is the preferred method for initial testing, while Refresh Token is recommended for Production.

 

Configuration – PingOne Advanced Identity Cloud

 

Navigate to Applications and Browse App Catalog. Search for BeyondTrust and click the BeyondTrust App.
Provide a Name, Description, and Owner(s) for the Application.
Enter Connection Settings using the Client ID and Secret generated previously. Configure Endpoints for your Password Safe instance. SCIM endpoint is /scim/v2 and Token Endpoint is /scim/oauth/token.
Under Provisioning, Properties, for User, move Password and _NAME_ to the top of the list.
Navigate to User, Reconciliation, and click Reconcile Now.
Navigate to Group, Reconciliation, and click Reconcile Now.
You should now be able to see Password Safe Users.
For each Account, you should be able to see and modify Group Memberships, and modify attributes.
To Provisioning a new Password Safe account for an existing User, you can click the Add Member button.

 

Be the first to reply!

Reply


Badge Earners

  • BCIE: Privileged Remote Access
    Espihas earned the badge BCIE: Privileged Remote Access
  • BCA: Password Safe
    JesusCAhas earned the badge BCA: Password Safe
  • BCA: Password Safe
    Devon Gibsonhas earned the badge BCA: Password Safe
  • BCIE: Password Safe
    Devon Gibsonhas earned the badge BCIE: Password Safe
  • BCA: Endpoint Privilege Management - Linux
    pdannerhas earned the badge BCA: Endpoint Privilege Management - Linux
Show all badges
Terms & ConditionsCookie settings