Skip to content

Identity providers

PassBeyond has been tested with Authentik, Cisco Duo, Microsoft AD FS, Microsoft Entra ID (Azure AD), Okta, and PingOne. Other SAML 2.0 providers should work when they can send a usable subject and the attributes required by your backend.

Common Service Provider values

Replace <your-domain> with the domain configured in PassBeyond.

SettingValue
SP metadatahttps://<your-domain>/saml/metadata.xml
Entity IDhttps://<your-domain>/saml/metadata
ACS URLhttps://<your-domain>/saml/acs
Single Logout URLhttps://<your-domain>/saml/slo
Certificatehttps://<your-domain>/saml/certificate.crt
Recommended NameIDTransient identifier

Prefer importing the SP metadata when the IdP supports it. Configure signed responses and assertions, use SHA-256 algorithms, and map at least an email address or account name that PassBeyond can use as the subject.

Protocol behavior

PassBeyond accepts both SP-initiated and IdP-initiated login. Its metadata advertises the transient NameID format and requests email address and UPN as required attributes, with display name as optional. The subject used by the backend is selected from mapped email, mapped sAMAccountName, and then NameID.

Because a transient NameID may change between sign-ins, do not rely on it as the backend's permanent account key. Map a stable email address or account name and verify how the backend handles renames. See Sessions and Supported claims.

The SAML certificate is generated per PassBeyond instance and is not automatically rotated. Record its expiry and follow Certificate rotation when it needs replacement.

Microsoft AD FS

Create a Relying Party Trust, select Import data about the relying party published online or on a local network, and enter:

text
https://<your-domain>/saml/metadata.xml

Add a Send LDAP Attributes as Claims rule:

LDAP attributeOutgoing claim type
E-Mail-AddressesE-Mail Address
Given-NameGiven Name
SurnameSurname
User-Principal-NameUPN
Display-NameName
Companycompany
Departmentdepartment
Telephone-NumbertelephoneNumber

To send group membership, add a Send Claims Using a Custom Rule rule:

text
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);

You can filter the group claims in a second custom rule. Adjust the expression to your naming scheme:

text
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)^sgrpApp*"]
 => issue(claim = c);

Finally, add Transform an Incoming Claim and transform E-Mail Address to Name ID with the Transient Identifier format.

Cisco Duo

Create a Generic SAML Service Provider application. Under Metadata Discovery, use:

text
https://<your-domain>/saml/metadata

Verify these values if they are not discovered automatically:

SettingValue
Entity IDhttps://<your-domain>/saml/metadata
ACS URLhttps://<your-domain>/saml/acs with index 1 and default enabled
Single Logout URLhttps://<your-domain>/saml/slo
NameID formaturn:oasis:names:tc:SAML:2.0:nameid-format:transient
Signature algorithmSHA-256
Signing optionsSign assertions and responses

Optional assertion encryption settings:

SettingValue
Existing certificateCertificate from /saml/certificate.crt
Assertion encryptionAES-256-CBC
Key transportRSA-OAEP

Recommended attributes:

Duo attributeSAML response attribute
Email Addressemail
First NamefirstName
Last NamelastName
Display NamedisplayName
Roles or groupsGroups

Okta

Create a SAML application with:

SettingValue
Single sign-on URLhttps://<your-domain>/saml/acs
Audience URI (SP Entity ID)https://<your-domain>/saml/metadata
Name ID formatTransient
Application usernameEmail
ResponseSigned
AssertionSigned
Signature algorithmRSA-SHA256
Digest algorithmSHA-256

For encrypted assertions, select AES-256-CBC, RSA-OAEP, and the certificate served by PassBeyond.

Add these attribute statements:

NameName formatValue
emailUnspecifieduser.email
sAMAccountNameUnspecifieduser.login
givenNameUnspecifieduser.firstName
surNameUnspecifieduser.lastName
GroupsUnspecifieduser.groups

PingOne

Create a SAML application and set the Service Provider metadata URL to:

text
https://<your-domain>/saml/metadata

Add these mappings:

SAML attributePingOne mappingRequired
emailEmail AddressYes
givenNameGiven NameNo
surNameFamily NameNo
displayNameFormattedNo
sAMAccountNameUsernameNo
GroupsGroup NamesNo

Authentik and Microsoft Entra ID

Both providers are known to work with PassBeyond, but the exact administration screens and terminology change over time. Import the PassBeyond metadata where possible, otherwise use the common Service Provider values. Map email or account name plus any attributes your backend needs, then compare the emitted names with the claims reference.

Verify the integration

After saving the IdP configuration:

  1. open the protected application's root URL in a private browser window;
  2. complete authentication at the IdP;
  3. confirm the browser returns through /saml/acs;
  4. inspect the backend's received headers;
  5. test /saml/slo and sign in again.

If authentication succeeds but the expected data is absent, capture the IdP's attribute names without personal values and compare them with the aliases in Supported claims.

Released under the MIT License.