Identity providers
PassBeyond has been tested with Authentik, Cisco Duo, Microsoft AD FS, Microsoft Entra ID (Azure AD), Okta, and PingOne. Other SAML 2.0 providers should work when they can send a usable subject and the attributes required by your backend.
Common Service Provider values
Replace <your-domain> with the domain configured in PassBeyond.
| Setting | Value |
|---|---|
| SP metadata | https://<your-domain>/saml/metadata.xml |
| Entity ID | https://<your-domain>/saml/metadata |
| ACS URL | https://<your-domain>/saml/acs |
| Single Logout URL | https://<your-domain>/saml/slo |
| Certificate | https://<your-domain>/saml/certificate.crt |
| Recommended NameID | Transient identifier |
Prefer importing the SP metadata when the IdP supports it. Configure signed responses and assertions, use SHA-256 algorithms, and map at least an email address or account name that PassBeyond can use as the subject.
Protocol behavior
PassBeyond accepts both SP-initiated and IdP-initiated login. Its metadata advertises the transient NameID format and requests email address and UPN as required attributes, with display name as optional. The subject used by the backend is selected from mapped email, mapped sAMAccountName, and then NameID.
Because a transient NameID may change between sign-ins, do not rely on it as the backend's permanent account key. Map a stable email address or account name and verify how the backend handles renames. See Sessions and Supported claims.
The SAML certificate is generated per PassBeyond instance and is not automatically rotated. Record its expiry and follow Certificate rotation when it needs replacement.
Microsoft AD FS
Create a Relying Party Trust, select Import data about the relying party published online or on a local network, and enter:
https://<your-domain>/saml/metadata.xmlAdd a Send LDAP Attributes as Claims rule:
| LDAP attribute | Outgoing claim type |
|---|---|
| E-Mail-Addresses | E-Mail Address |
| Given-Name | Given Name |
| Surname | Surname |
| User-Principal-Name | UPN |
| Display-Name | Name |
| Company | company |
| Department | department |
| Telephone-Number | telephoneNumber |
To send group membership, add a Send Claims Using a Custom Rule rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);You can filter the group claims in a second custom rule. Adjust the expression to your naming scheme:
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)^sgrpApp*"]
=> issue(claim = c);Finally, add Transform an Incoming Claim and transform E-Mail Address to Name ID with the Transient Identifier format.
Cisco Duo
Create a Generic SAML Service Provider application. Under Metadata Discovery, use:
https://<your-domain>/saml/metadataVerify these values if they are not discovered automatically:
| Setting | Value |
|---|---|
| Entity ID | https://<your-domain>/saml/metadata |
| ACS URL | https://<your-domain>/saml/acs with index 1 and default enabled |
| Single Logout URL | https://<your-domain>/saml/slo |
| NameID format | urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
| Signature algorithm | SHA-256 |
| Signing options | Sign assertions and responses |
Optional assertion encryption settings:
| Setting | Value |
|---|---|
| Existing certificate | Certificate from /saml/certificate.crt |
| Assertion encryption | AES-256-CBC |
| Key transport | RSA-OAEP |
Recommended attributes:
| Duo attribute | SAML response attribute |
|---|---|
| Email Address | email |
| First Name | firstName |
| Last Name | lastName |
| Display Name | displayName |
| Roles or groups | Groups |
Okta
Create a SAML application with:
| Setting | Value |
|---|---|
| Single sign-on URL | https://<your-domain>/saml/acs |
| Audience URI (SP Entity ID) | https://<your-domain>/saml/metadata |
| Name ID format | Transient |
| Application username | |
| Response | Signed |
| Assertion | Signed |
| Signature algorithm | RSA-SHA256 |
| Digest algorithm | SHA-256 |
For encrypted assertions, select AES-256-CBC, RSA-OAEP, and the certificate served by PassBeyond.
Add these attribute statements:
| Name | Name format | Value |
|---|---|---|
email | Unspecified | user.email |
sAMAccountName | Unspecified | user.login |
givenName | Unspecified | user.firstName |
surName | Unspecified | user.lastName |
Groups | Unspecified | user.groups |
PingOne
Create a SAML application and set the Service Provider metadata URL to:
https://<your-domain>/saml/metadataAdd these mappings:
| SAML attribute | PingOne mapping | Required |
|---|---|---|
email | Email Address | Yes |
givenName | Given Name | No |
surName | Family Name | No |
displayName | Formatted | No |
sAMAccountName | Username | No |
Groups | Group Names | No |
Authentik and Microsoft Entra ID
Both providers are known to work with PassBeyond, but the exact administration screens and terminology change over time. Import the PassBeyond metadata where possible, otherwise use the common Service Provider values. Map email or account name plus any attributes your backend needs, then compare the emitted names with the claims reference.
Verify the integration
After saving the IdP configuration:
- open the protected application's root URL in a private browser window;
- complete authentication at the IdP;
- confirm the browser returns through
/saml/acs; - inspect the backend's received headers;
- test
/saml/sloand sign in again.
If authentication succeeds but the expected data is absent, capture the IdP's attribute names without personal values and compare them with the aliases in Supported claims.