TTechclick ⚡ XP 0% All lessons
BeyondTrust · Integrations · API & EcosystemInteractive · L1 / L2 / L3

BeyondTrust Integrations: — REST API, SAML/MFA, ServiceNow, SIEM & Entra ID

A vault nobody watches is just a cupboard. This lesson wires Password Safe and PRA into everything around them — Entra ID decides who gets in, ServiceNow decides when, the SIEM sees everything, and the REST API does the boring parts for you.

📅 2026-06-10 · ⏱ 14 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Identity in

SAML SSO, MFA at the IdP, groups decide access.

 2

Ticket gate

ServiceNow validates the change before any release.

 3

Logs out

Syslog to Splunk/Sentinel — five detections that matter.

 4

REST APIs

SignAppin to check-in, scoped keys, JIT cloud edge.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Your auditor asks: "prove every privileged session had a change ticket behind it." Which integration answers that in one report?

Answered in Identity in.

2. Password Safe must tell the SOC the moment a rotation fails at 2 AM. What carries that signal?

Answered in Logs out.

3. An Ansible job needs a database password at 3 AM with zero humans awake. What does it call?

Answered in Ticket gate.

Most engineers think…

Most engineers think PAM is a standalone box — install the vault, onboard the accounts, done. Integrations are a "phase 2" luxury.

Wrong — an unintegrated vault fails its first audit and its first incident. Without SAML + directory groups, leavers keep access. Without ticket validation, approvals are vibes. Without SIEM forwarding, a stolen API key (the exact entry in the Dec-2024 US Treasury incident) walks straight past MFA and stays invisible until someone watches its usage. The four wires in this lesson are what turn a password cupboard into a control plane.

① Identity in — SAML SSO, MFA & directory groups

Think of the Password Safe portal as the bank’s locker ROOM, not the locker. The lockers (vaulted credentials) are strong, but the room entrance is where identity matters: the bank checks your Aadhaar-verified pass at the door (SSO + MFA), and the register at the gate decides which counters you may visit (your groups). In BeyondTrust terms: SAML handles the door, directory groups handle the register.

Why push login out to an IdP like Entra ID or Okta? Two reasons. First, MFA lives at the IdP — Conditional Access, number matching, phishing-resistant FIDO2 — and PAM inherits all of it without its own MFA stack. Second, joiner-mover-leaver becomes one change: HR disables the AD account, the IdP refuses the login, and PAM access dies the same second. No orphan PAM accounts for the auditor to find.

Figure 1 — Four wires turn a vault into a control plane
BeyondInsight with Password Safe and PRA sits in the centre. On the left, Entra ID or Okta sends a SAML assertion with MFA enforced at the identity provider. On top, ServiceNow gates every request with a ticket that must exist and be open. On the right, syslog ships release, rotation, session and policy events to Splunk or Sentinel. At the bottom, scripts call the REST APIs using PS-Auth keys or OAuth. A red arrow showing a stolen API key from an unknown IP is blocked by the API registration IP rules. Four wires turn a vault into a control plane BeyondInsight Password Safe + PRA every key in the company Entra ID / Okta SSO + MFA at the IdP AD/LDAP groups IDENTITY IN SAML assertion ServiceNow ticket exists + open? TICKET GATE Splunk / Sentinel release · rotation fail session · policy change LOGS OUT syslog 514 / 6514 Scripts · Ansible · SOAR PS-Auth key · OAuth Bearer APIs AUTOMATE stolen API key 203.0.113.77 · 02:14 AM ✗ blocked by IP rule + SIEM new-IP alert ← cut any one wire and the vault is a cupboard nobody watches, gates, or audits untrusted/attackertrusted/vaultedpolicy/decisionkey insightallowed/audited
The map for this whole lesson. Identity flows IN from the left, tickets gate from the top, logs flow OUT to the right, APIs automate from below — and the red stolen-key arrow shows why API registrations carry IP rules.
👉 So far: SSO at the IdP gives PAM its MFA and its leaver-handling for free. Next: where exactly you click in BeyondInsight, and what the IdP must send back.

The console path to memorise: Configuration > Authentication Management > SAML Configuration, then Create New SAML Identity Provider +. You paste the IdP’s Identifier (entity ID), Single Sign-on Service URL and signing certificate; BeyondInsight auto-generates the Service Provider side — its own Entity ID and the Assertion Consumer Service URL the IdP must post assertions to. One hard floor worth quoting in interviews: incoming SAML assertions can no longer be signed with SHA1 — weak-signature assertions are rejected outright.

🖥️ This is the screen you’ll use — BeyondInsight → Configuration → Authentication Management → SAML Configuration → Create New SAML Identity Provider +. (Recreated for clarity — your console matches this.)
bi.icicilab.in · Configuration → Authentication Management
1
Name
EntraID-Prod
2
Identifier (Entity ID)
https://sts.windows.net/(tenant-id)/
3
Single Sign-on Service URL
https://login.microsoftonline.com/(tenant-id)/saml2
Protocol Binding
HTTP POST
Identity Provider Certificate
EntraID-signing-cert.cer (SHA256)
4
Default Identity Provider
Enabled — used for SP-initiated logins
Create SAML Identity Provider

PRA has its own door: /login > Users & Security > Security Providers accepts SAML, LDAP, RADIUS and Kerberos providers, and Group Policies pick users up by the group attribute the IdP sends. Same pattern, different console — one IdP can front BeyondInsight, Password Safe and PRA together, which is exactly what you want: one login story, one MFA story, one off-boarding story.

Figure 2 — SAML login = two halves: prove WHO, then map WHAT
Rahul opens BeyondInsight, which redirects him to Entra ID. Entra ID enforces password plus MFA, then returns a signed SAML assertion carrying a group claim PAM-DBAs to the Assertion Consumer Service URL. BeyondInsight maps the claim to a BeyondInsight group, the group carries Password Safe roles and an access policy, and only then does the vault open. A red dashed path shows an assertion signed with SHA1 being rejected, and a note warns that a missing group mapping leaves a logged-in user staring at an empty portal. SAML login = two halves: prove WHO, then map WHAT Rahul HCL · DBA BeyondInsight (SP) Use SAML Authentication Entra ID (IdP) password ✓ · MFA prompt ✓ Conditional Access lives HERE redirect signed SAML assertion group claim: PAM-DBAs → ACS URL on BeyondInsight BI group: PAM-DBAs roles + access policy attached vault opens only the systems his group owns AUTHORIZATION ✗ assertion signed with SHA1 → rejected (security floor) ✗ no group claim mapped → login OK, portal EMPTY joiner-mover-leaver = ONE change in the directory; PAM follows ↗ AUTHENTICATION (top row)
Follow the top row left to right for authentication, then drop down the left for authorization. The red box is the two classic failures: SHA1-signed assertions (rejected) and a missing group mapping (login OK, portal empty).

Now the register at the gate: directory groups drive authorization. A BeyondInsight group can be created from an AD/LDAP or Entra ID query, and everything hangs off that group — Password Safe roles (Requestor, Approver, ISA), Smart Group permissions, and the access policy that says when and how its members may connect. Onboarding the new DBA Aditya = add him to one AD group. Nothing inside PAM changes hands.

Four words that carry this whole section

Tap each card — these four turn up in every SSO troubleshooting call.

📜
Assertion
tap to flip

The signed XML "this user authenticated" message the IdP posts to the ACS URL. SHA1-signed = rejected. So: trust comes from the signature.

🆔
IdP vs SP
tap to flip

IdP (Entra/Okta) proves identity; SP (BeyondInsight/PRA) consumes the proof. Config = exchange both sides’ URLs + certs. So: two halves, one handshake.

👥
Group claim
tap to flip

The group list riding inside the assertion. Mapped to a BI group that carries roles + access policy. No mapping = empty portal. So: claims feed authorization.

🔐
MFA at the IdP
tap to flip

Conditional Access enforces MFA before the assertion exists. PAM inherits phishing-resistant login without its own MFA stack. So: harden ONE front door.

COMMON MISTAKE — SAML-only with no back door

Symptom: SAML is forced as the only login path, the IdP certificate expires (or the Entra app is deleted), and now NOBODY can administer the PAM that holds every password in the company. Fix: always keep one local break-glass BeyondInsight admin account — vaulted, sealed, alerted on use — and test the standard login path before and after every IdP change.

Quick check · Q1 of 10

Rahul at HCL clicks "Use SAML Authentication", Entra ID accepts his password + Authenticator prompt, and BeyondInsight opens — but his Password Safe portal shows zero systems and zero accounts. The IdP certificate is valid. Most likely miss?

Correct: b. Login succeeded, so authentication (and the signature) is fine — a SHA1 rejection would have failed the login itself. What’s missing is authorization: the group claim → BI group → roles + access policy chain. No local duplicate account is needed with SAML, and MFA is enforced at the IdP, not again inside BeyondInsight.

Pause & Predict

Predict: Sneha’s company fires an employee at 11:00. AD is disabled at 11:02. The employee had an OPEN Password Safe session from 10:45. Does SSO kill that live session? Type your guess.

Answer: No — SSO gates the NEXT login, not sessions already running. The disabled AD account can never sign in again, but the live session rides until check-in, expiry, or an admin terminates it from Password Safe > Sessions. That’s why off-boarding runbooks include "terminate active PAM sessions", and why session events going to the SIEM (section ③) matter.

② ITSM — ServiceNow ticket-gated access

Every Indian housing society runs this control already: a visitor enters only against a slip the flat owner pre-approved, and the slip number is written into the gate register next to the entry and exit times. Months later, anyone can trace visit → approval → slip. That is exactly what the ServiceNow integration does for privileged access: no ticket, no entry; and the entry is written back against the ticket.

Mechanically there are two layers. The lighter one is built into Password Safe access policies: the ticket number field can be made required, so a release request must carry a reference. The full integration is the certified ServiceNow app: users request checkout from the ticket itself using Incident, Change Request or Problem flows; Password Safe validates the ticket exists and is in an open, valid state before releasing anything; and the session link lands back on the ticket record. Requirements worth memorising: Password Safe 22.2+, managed accounts with API access enabled, and an API registration assigned to a BeyondInsight group containing the requestor accounts.

Figure 3 — Access without vs with the ticket gate
Two panels. Before: a requester types any reason, an approver clicks approve on trust, the session happens, and at audit time nobody can prove which change covered it — orphan sessions in red. After: the request carries change ticket CHG0031245, Password Safe validates the ticket exists and is open at request time, the session runs recorded, and the session link is written back to the ticket — the auditor clicks the change and lands on the recording, a closed loop in green. Access without vs with the ticket gate BEFORE — approval on trust Reason: "need to check something" (free text) no change record behind it approver clicks ✓ — busy, trusts the requester 2:00 AM session on pay-prod-2 (10.20.8.11) Audit day: "which change covered this?" orphan sessions · sampling · findings evidence = memory + spreadsheets AFTER — ServiceNow ticket gate CHG0031245 · state: Implement (open) request raised FROM the ticket Password Safe validates: exists? open? ✓ session runs · recorded · keystrokes logged session link written BACK to CHG0031245 auditor clicks the change → lands on the recording evidence = a closed loop, one report The gate is cheap to wire; re-creating evidence at audit time is not.
Left panel: approval on trust, orphan sessions, audit findings. Right panel: ticket validated at request time, session recorded, link written back — the auditor clicks the change and lands on the recording.
👉 So far: the ticket gate = exists + open at request time, raised from the ticket, written back to the ticket. Next: the PRA side, and what breaks in real deployments.

PRA carries the same gate for remote sessions: a Jump Policy has the literal checkbox "Require a ticket ID before a session starts", pointing at your configured ticket system. So a vendor engineer Jumping to a production switch and a DBA checking out the sa password both answer the same question first: which approved change is this? Remember the PRA constraint from lesson 13 — a Jump Policy cannot enable both a schedule and approval at once, but ticket-ID can ride alongside either.

Priya at Airtel faces this

The new ServiceNow integration works for the Windows team, but every request the network team raises from a Change ticket comes back 403 Forbidden in the app logs — while the same users can check out fine from the Password Safe portal directly.

Likely cause

The API registration backing the ServiceNow app is assigned to a BeyondInsight group that contains the Windows admins only. The network team’s accounts are not in the group tied to the registration, so the API calls made on their behalf are refused — portal access uses their normal roles and is unaffected.

Diagnosis

Reproduce one failing request, note the runas user in the app log, then open the API registration and check which user group it is assigned to and whether that group contains the network team. Also confirm their target accounts have API access enabled.

BeyondInsight > Configuration > General > API Registrations · BeyondInsight > Configuration > Role Based Access > User Management > Groups
Fix

Add the network team (or their directory-query group) to the group assigned to the ServiceNow API registration, and tick Enable for API Access on the managed accounts they request. Do NOT widen the registration’s roles — membership, not power, was the gap.

Verify

The network engineer re-submits the request from the Change ticket: ticket validates, approval flows, checkout succeeds, and the session link appears on the ticket record within a minute.

Quick check · Q2 of 10

Meera at ICICI submits a Password Safe request from ServiceNow referencing CHG0048821. The change was completed and moved to Closed yesterday. What happens to her request?

Correct: c. Validation is two-part: the ticket exists and its state is open/valid for the flow (Incident, Change, Problem). A closed change is yesterday’s authorization — reusing it is exactly the loophole the gate exists to close. Nothing in the integration auto-creates tickets, and "grant now, review later" would defeat the control.

Pause & Predict

Predict: the auditor asks Priya for evidence on 40 sampled privileged sessions. With the closed loop wired, how many systems does she open to answer? Type your guess.

Answer: One. Each ServiceNow change carries the Password Safe session link written back to it, and each Password Safe session record carries the ticket number in its reason. Either system alone answers "who, what, when, under which approved change" — that closed loop is why auditors sign off ticket-gated PAM quickly and hammer everything else.
WHY AUDITORS LOVE THE CLOSED LOOP

PCI DSS, SOX and ISO 27001 evidence requests all reduce to one chain: change approved → access requested → access granted → session recorded → link on the change. With the write-back in place, that chain is ONE click instead of a week of correlating spreadsheets. Put the phrase "ticket-gated checkout with ITSM write-back" in your resume — it is a real differentiator at L2 interviews.

③ SIEM & SOC — syslog, Splunk/Sentinel, the events that matter

A jeweller’s CCTV that records to a hard disk nobody watches still loses the gold — it only helps the post-mortem. A PAM that logs only to itself is the same device. The fix is one connector: BeyondInsight ships every privileged event to your SIEM, where a detection wakes a human in minutes instead of an auditor in months.

The console path: Configuration > General > Connectors > Create New Connector, type Syslog Event Forwarder — pick a format your SIEM parses (CEF or LEEF, plus newline/tab-delimited and JSON), point it at the collector, and tick the Event Filters for what to forward. Splunk shops can skip syslog: the Splunk Event Forwarder connector posts straight to the HTTP Event Collector (default port 8088) with a Splunk API key. PRA forwards too: every /login, /appliance and console authentication event can ship via UDP 514 or TLS TCP 6514, and Management > Outbound Events fires webhooks on session start/end for SOAR pipelines.

👉 So far: one Connector (or HEC) puts every PAM event in the SOC’s hands — IF the event filters are ticked and the port is open. Next: which events deserve the first five detections.

The five event families that matter

Do not forward everything and drown. Five families cover most PAM risk: password release/check-out (who took which key), rotation failures (the vault’s own health — a burst means the functional account broke), session start/stop (proxy + PRA), policy and Smart Rule changes (attackers widen policies before they steal), and failed logins + API sign-ins (SignAppin failures, OAuth grants, new source IPs). Wire one named detection per family before you build anything fancier.

Figure 4 — Ship five event families → build five first detections
Five rows map BeyondTrust event families to first SOC detections. Password release maps to after-hours release without a ticket, priority two. Rotation failure maps to a failure burst across systems meaning the functional account broke, priority one. Session start and stop maps to a session with no matching request. Policy or Smart Rule change maps to changes outside the change window. Failed logins and API sign-ins map to an API key used from a never-seen IP, priority one — the Treasury lesson. Ship five event families → build five first detections EVENT (syslog · CEF/LEEF) FIRST DETECTION (Splunk / Sentinel) password release / check-out who · which account · reason release between 00:00–06:00 with no ticket in Reason alert the account owner, not just the SOC P2 rotation FAILURE "Password change failed" events burst across MANY systems in minutes = the shared functional account broke — fix ONE thing P1 session start / stop RDP/SSH proxy + PRA sessions session with NO matching approved request join sessions to requests by user + system + time P2 policy / Smart Rule change access policies · API registrations config change OUTSIDE the change window attackers widen policies before they steal P2 failed logins + API sign-ins SignAppin / OAuth token grants API key used from a never-seen source IP the Dec-2024 Treasury entry was a stolen SaaS API key P1 Start with these five. A PAM that logs to nowhere is CCTV with no guard watching. BeyondInsight: Configuration → General → Connectors · PRA: /login + /appliance events → syslog UDP 514 / TLS TCP 6514
Left = the event family arriving over syslog/HEC; right = the first detection a SOC should name and own; chips = suggested priority. The two P1s are the vault’s own health and the Treasury-style stolen key.
Splunk search head — rotation-failure burst (is the functional account broken?)
index=pam sourcetype="beyondtrust:beyondinsight" "Password change failed"
| stats count AS failures BY ManagedSystem, FunctionalAccount
| where failures > 5
| sort - failures
Expected output
ManagedSystem    FunctionalAccount   failures
db-prod-1        svc-psafe-fa        14
app-prod-3       svc-psafe-fa        11
-- same FA failing everywhere = fix ONE credential, not 25 servers
Microsoft Sentinel (KQL) — API key suddenly used from a never-seen IP (the Treasury lesson)
Syslog
| where SyslogMessage has "SignAppin"
| extend SrcIP = extract(@"from ([\d\.]+)", 1, SyslogMessage)
| summarize firstSeen = min(TimeGenerated) by SrcIP
| where firstSeen > ago(1d)
Expected output
SrcIP            firstSeen
203.0.113.77     2026-06-10T02:14:09Z
-- 1 row: a brand-new source IP using the API at 02:14. Page someone.

That second detection is not paranoia — it is history. In December 2024, attackers used a stolen Remote Support SaaS API key to reset local application passwords and reach 17 customers including the US Treasury (CVE-2024-12356 rode alongside as the software flaw). MFA never saw it, because machine keys do not do interactive login. The only controls that catch a stolen key are the ones in this section and the next: anomaly detection on key usage, IP restrictions, scoping and rotation.

Karthik at TCS faces this

The SOC built BeyondTrust dashboards two weeks ago. Zero events have arrived. The Syslog Event Forwarder connector exists, shows Active, and test events from other sources reach the collector fine.

Likely cause

The connector was created with no Event Filters ticked — it is "active" but subscribed to nothing. (The twin cause in other shops: UDP 514 from the appliance/Resource Broker subnet to the collector is blocked, while the test events came from a different VLAN.)

Diagnosis

Open the connector and expand Event Filters — if nothing is selected, that is the answer. If filters are fine, capture on the collector while forcing an event (sign in, check out a test credential) and watch for packets from the appliance IP.

BeyondInsight > Configuration > General > Connectors > Syslog Event Forwarder
Fix

Tick the event categories the SOC actually needs (releases, rotation failures, sessions, policy changes, auth), save, and open UDP 514 — or better, switch to TLS TCP 6514 — from the appliance to the collector.

Verify

Check out a test credential and watch it land in the SIEM within a minute: index=pam | head 5 shows the release event with Karthik’s username.

Quick check · Q3 of 10

At 02:10, Splunk fires: 14 "Password change failed" events across 11 different Windows systems within five minutes. Which story fits best?

Correct: a. One worker credential serves many systems: when the functional account is locked, expired, or was rotated outside PS, failures appear EVERYWHERE it works, all at once. Eleven simultaneous crashes is fantasy; SIEM duplication would show identical hosts; and healthy estates do not fail in bursts — the Password Change Agent retries, but a burst is a signal, not noise.

Pause & Predict

Predict: of the five event families, which one will your SIEM almost never see — and that absence is itself the alert? Type your guess.

Answer: Heartbeat-style traffic from the forwarder. If releases, sessions and auth events flow daily, SILENCE for several hours means the connector, the appliance, or the path broke — and a PAM that stops logging is precisely what an attacker covering tracks looks like. Mature SOCs alert on the ABSENCE of BeyondTrust events, not just their content.

④ The REST APIs — Password Safe, PRA, and the JIT cloud edge

Everything you have clicked in this series is callable. The Password Safe public API lives at /BeyondTrust/api/public/v3 and authenticates with the PS-Auth header: a 128-character key from an API registration, plus runas — a real Password Safe user whose roles decide what the call may touch. Sign in once with POST Auth/SignAppin; the session cookie keeps state until POST Auth/Signout.

Any REST client → Password Safe API: sign in, find the account
# 1. Sign in (session cookie carries state between calls)
curl -sk -c /tmp/ps.jar -X POST \
  "https://bi.icicilab.in/BeyondTrust/api/public/v3/Auth/SignAppin" \
  -H "Authorization: PS-Auth key=c479a66f...9484d; runas=icici\svc-ansible; pwd=[S3cure#21];"

# 2. Find the account (must be Enable for API Access)
curl -sk -b /tmp/ps.jar \
  "https://bi.icicilab.in/BeyondTrust/api/public/v3/ManagedAccounts?systemName=db-prod-1&accountName=sa_dbpatch"
Expected output
{"UserId":42,"UserName":"icici\\svc-ansible","Name":"Ansible Service"}
{"PlatformID":4,"SystemId":12,"SystemName":"db-prod-1",
 "AccountId":47,"AccountName":"sa_dbpatch","DefaultReleaseDuration":120}

Then the same request → retrieve → check-in loop a human does in the portal: POST Requests raises the request (put the change number in Reason — the audit trail thanks you), GET Credentials/{requestId} retrieves the secret, PUT Requests/{requestId}/Checkin releases it and triggers rotate-on-release. Two traps from lesson 6 still apply here: GET ManagedAccounts only returns accounts with Enable for API Access set and where the runas user holds Requestor/ISA, and a 2FA-enabled user’s first SignAppin deliberately returns 401 + a WWW-Authenticate-2FA header — the challenge, not an error. ISA users skip approval entirely via POST ISARequests.

Password Safe API → request, retrieve, ALWAYS check in
# 3. Raise the request (ticket number rides in Reason)
curl -sk -b /tmp/ps.jar -X POST -H "Content-Type: application/json" \
  "https://bi.icicilab.in/BeyondTrust/api/public/v3/Requests" \
  -d '{"SystemId":12,"AccountId":47,"DurationMinutes":60,"Reason":"CHG0031245 patch window"}'

# 4. Retrieve, use, check in (check-in triggers rotate-on-release)
curl -sk -b /tmp/ps.jar "https://bi.icicilab.in/BeyondTrust/api/public/v3/Credentials/891"
curl -sk -b /tmp/ps.jar -X PUT -H "Content-Type: application/json" \
  "https://bi.icicilab.in/BeyondTrust/api/public/v3/Requests/891/Checkin" -d '{}'
Expected output
891
"xR9$mK2#vL8@pQ4w"
(HTTP 204 No Content — checked in, rotation queued)

▶ Follow one Ansible job through the Password Safe API

A service account checks out a database credential with zero humans awake — four calls, one closed loop. Press Play for the healthy path, then Break it to see the failure.

① SignAppinsvc-ansible → POST Auth/SignAppin · PS-Auth key + runas · cookie back
② LookupGET ManagedAccounts?systemName=db-prod-1 → SystemId 12 · AccountId 47
③ RequestPOST Requests {60 min · Reason: CHG0031245} → id 891 → GET Credentials/891
④ Check-inPUT Requests/891/Checkin → rotate-on-release → Signout
Press Play to step through the healthy path. Then press Break it.

Where do keys come from? Configuration > General > API Registrations > Create API Registration. An API Key Policy registration issues the 128-character key (masked in the UI — click Show Key); an API Access Policy registration enables OAuth client-credentials for application users instead. Scoping is the whole game: add authentication rules restricting the source IP, range or CIDR (plus X-Forwarded-For rules behind load balancers), keep the runas users least-privilege, and note the platform direction — client certificates are being retired as an API registration auth method, so build new automation on keys or OAuth.

🖥️ This is the screen that scopes every script — BeyondInsight → Configuration → General → API Registrations → Create API Registration. (Recreated for clarity — your console matches this.)
bi.icicilab.in · Configuration → General → API Registrations
1
Name
snow-prod-integration
2
Registration Type
API Key Policy
3
Key
•••••••••••• (128 chars · Show Key)
4
Authentication Rule
Source IP range 10.20.30.40–10.20.30.44
User Password Required
Yes — pwd=[…] must accompany the key
Create Registration
COMMON MISTAKE — the god-key in a wiki

Symptom: one API key with an ISA-role runas user is shared by every team, pasted in a Confluence page and three Git repos. Nothing "breaks" — until the key leaks, and the leak looks exactly like the Dec-2024 Treasury incident: a single stolen API key, no MFA in its path, days of quiet access across 17 SaaS tenants before usage anomalies flagged it. Fix: one registration per application, IP rules on each, least-privilege runas users, keys stored in Secrets Safe, rotated on a schedule, and the new-IP SIEM alert from section ③.

PRA speaks a different dialect: pure OAuth. Create an API account at /login > Management > API Configuration, then exchange client_id:secret (Base64, Basic header) at POST /oauth2/token for a Bearer token that lives one hour — an account holds at most 30 live tokens, and regenerating the secret kills them all instantly. The Configuration API under /api/config/v1 covers Jump Items, users, policies and Vault accounts (mass-onboarding 500 Shell Jump items = a for-loop, not a week of clicking), the command API drives sessions, and the reporting API exports session logs and recordings — the no-code alternative being the Integration Client pulling .xml logs and .flv recordings to SQL Server or a file share.

PRA /login → Management → API Configuration: OAuth token + Configuration API
# Token: client_id:secret Base64-encoded in a Basic header (1-hour lifetime)
curl -s -X POST "https://pra.icicilab.in/oauth2/token" \
  -H "Authorization: Basic $(printf 'a3f9c2e1:8d41e7bb' | base64)" \
  -d "grant_type=client_credentials"

# Spend the Bearer: list Jump Items
curl -s "https://pra.icicilab.in/api/config/v1/jump-item" \
  -H "Authorization: Bearer eyJhbGciOi..." -H "Accept: application/json"
Expected output
{"access_token":"eyJhbGciOi...","token_type":"Bearer","expires_in":3600}
[{"id":7,"name":"core-sw-01","jump_type":"shell_jump","hostname":"172.16.40.7"},
 {"id":8,"name":"pay-prod-2","jump_type":"remote_rdp","hostname":"10.20.8.11"}]

The cloud edge rounds out the ecosystem. Identity Security Insights ingests AD, Entra ID, Okta, AWS, GCP and GitHub to map paths to privilege — the back-lanes (group nesting, role chains) an attacker would walk from a normal account to domain admin. Entitle brings JIT entitlements: like a Tatkal ticket instead of a lifetime rail pass, cloud access is granted for one journey and expires by itself — the standing-privilege killer. Both fold into the Pathfinder platform direction, and both are interview-current: "how would you remove standing access in AWS?" now has a BeyondTrust answer.

Figure 5 — Integration matrix — pin this
A six-row quick-reference card. SAML SSO is configured at Configuration, Authentication Management, SAML Configuration and buys MFA at the IdP plus joiner-mover-leaver in one place. Directory groups via Entra ID, AD and LDAP queries drive BeyondInsight groups, roles and access policies. ServiceNow uses the certified store app plus an API registration on Password Safe 22.2 plus, and buys ticket-gated checkout with links written back. SIEM uses Connectors with syslog 514 or TLS 6514 in CEF or LEEF formats. The Password Safe REST API lives at /BeyondTrust/api/public/v3 with the PS-Auth header. The PRA API uses OAuth at /login, Management, API Configuration with one-hour tokens and /api/config/v1 endpoints. Integration matrix — pin this WIRE WHERE / WHAT IT SPEAKS WHAT IT BUYS YOU SAML SSO + MFA Entra ID · Okta Configuration → Authentication Management → SAML Configuration · no SHA1 assertions PRA: /login → Users & Security → Security Providers MFA enforced at the IdP; one login story for all admins Directory groups AD · LDAP · Entra query directory group → BeyondInsight group → PS roles + Smart Group permissions + access policy Smart Rules can query Entra ID / Directory who-gets-what has ONE source of truth: the directory ServiceNow ITSM ticket gate certified Store app + API registration · PS 22.2+ accounts API-enabled · Incident/Change/Problem PRA: Jump Policy "Require a ticket ID" ticket must exist + be open; session link written back SIEM / SOC Splunk · Sentinel Configuration → General → Connectors Syslog Event Forwarder (CEF/LEEF/JSON) · tick Event Filters Splunk HEC :8088 · PRA syslog UDP 514 / TLS 6514 release · rotation-fail · session · policy · auth → detections Password Safe API PS-Auth key + runas /BeyondTrust/api/public/v3 Auth/SignAppin → ManagedAccounts → Requests key from Configuration → General → API Registrations scripted checkout / check-in, onboarding, reports PRA API OAuth · 1-hour Bearer /login → Management → API Configuration POST /oauth2/token → /api/config/v1/… max 30 live tokens · regenerate secret = tokens die Jump Item CRUD, reports, session-recording pulls
Six wires, one card: where each is configured, what it speaks, what it buys. If you can reproduce this matrix on a whiteboard, you have this lesson.
👉 So far: PS-Auth + /BeyondTrust/api/public/v3 for Password Safe, OAuth + /api/config/v1 for PRA, scoped registrations for both, and Insights/Entitle extending PAM into cloud JIT. One quiz, one prediction, and the matrix is yours.
Quick check · Q4 of 10

Aditya’s PRA inventory script fetches a Bearer token at deploy time and reuses it on every 6-hourly run. The first run works; every later run gets 401. Why?

Correct: d. PRA Bearer tokens live one hour; a token minted at deploy time is long dead by the next run. The 30-token cap silently evicts the OLDEST token rather than revoking the account, IP rules would have blocked run one as well, and secrets never rotate themselves — regeneration is a deliberate admin action (which kills all live tokens).

Pause & Predict

Predict: your ServiceNow integration, your SOC forwarder and your Ansible jobs all authenticate to Password Safe. How many API registrations should that be — one, or three? Type your guess.

Answer: Three (at least) — one per consumer. Separate registrations mean separate keys, separate IP rules, separate runas users with least privilege, and a clean kill-switch: revoke the Ansible key without breaking ServiceNow. One shared registration is one shared blast radius — the god-key anti-pattern from the callout above.
🎮 Hands-on: BeyondTrust PAM Essentials room📖 Sibling lesson: PMUL + AD Bridge

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the base path of the Password Safe public REST API?

Correct: c. The documented base is https://(server)/BeyondTrust/api/public/v3 — same shape for cloud and on-prem. The other paths are invented look-alikes; if you remember one URL from this lesson, make it this one (SignAppin, ManagedAccounts and Requests all hang off it).
Q6 · Apply

Sneha’s Ansible job signs in fine (SignAppin returns 200), but GET ManagedAccounts?systemName=db-prod-1 returns an empty list — although the account exists and rotates on schedule. What does she fix?

Correct: a. GET ManagedAccounts only returns accounts flagged Enable for API Access AND visible to the runas user’s Requestor/Requestor-Approver/ISA role. An expired/blocked key would fail SignAppin (401), not return an empty 200; port 4422 is the SSH session proxy, irrelevant to REST; workgroups don’t hide accounts from the API.
Q7 · Apply

Wipro is wiring ServiceNow ticket-gated checkout for Password Safe. Which set of prerequisites is actually required?

Correct: d. Those are the documented requirements for the certified Store app: version floor 22.2, API-enabled accounts, and the registration tied to a group holding the requestors. Domain Admin is never needed (least privilege!), ISA would bypass the very approval flow the integration exists to enforce, and the app talks HTTPS to the API — no VPN requirement.
Q8 · Analyze

A 2FA-enabled API user’s first POST Auth/SignAppin returns 401 with a WWW-Authenticate-2FA header. The script author declares the key revoked and files a ticket. What is really happening?

Correct: b. For 2FA-enabled users the API deliberately answers the first SignAppin with 401 + WWW-Authenticate-2FA; the client resends SignAppin with challenge=(code) in the auth header. A revoked key gives 401 without that header every time; clock drift is not part of PS-Auth; and Approver is an approval-workflow role, unrelated to signing in.
Q9 · Analyze

The SOC dashboards show zero BeyondInsight events. The Syslog Event Forwarder connector exists and reports no errors, and the collector receives test events from other sources. Strongest FIRST check?

Correct: a. A connector with no Event Filters ticked is "active" but subscribed to nothing — the classic silent miss — and the second suspect is the network path from the appliance subnet. Managed systems don’t run SIEM agents for PAM events (the platform emits them); Smart Rules govern onboarding, not event emission; and syslog is precisely the supported transport.
Q10 · Evaluate

Two automation designs at Flipkart. A: one API registration, ISA-role runas user, shared by every team, no IP rules, key on the wiki. B: per-team registrations with IP authentication rules, runas users holding Requestor on only their Smart Groups, keys vaulted in Secrets Safe and rotated, SIEM alert on new source IPs. Which wins, and why?

Correct: b. B applies least privilege to machines the way PAM applies it to humans: smallest role, narrowest source, shortest life, loudest alarm. A concentrates every team’s power in one secret with no containment — exactly the failure mode of the Treasury incident, where one stolen API key opened the door and no IP/anomaly control was in its path. "Internal-only" is wishful thinking; wikis and repos leak.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line: why does an auditor trust a ServiceNow-gated Password Safe more than a standalone vault? Then compare to the expert version.

Expert version: Because every privileged minute chains to an approved change — ticket validated at request time, session recorded, link written back — so the evidence is one click, not a sampling exercise across spreadsheets.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SAML assertion
Signed XML "this user authenticated" message the IdP posts to BeyondInsight/PRA — SHA1 signatures are rejected.
IdP vs SP
IdP (Entra ID/Okta) proves identity; the Service Provider (BeyondInsight/PRA) consumes the proof at its ACS URL.
Group claim
Group list inside the assertion; mapped to a BeyondInsight group that carries roles + access policy — no map, empty portal.
API registration
BeyondInsight object (Configuration > General > API Registrations) issuing the 128-char key plus IP/X-Forwarded-For rules.
PS-Auth header
Authorization: PS-Auth key=…; runas=…; pwd=[…]; — the Password Safe API auth format; password sits in square brackets.
runas user
The real Password Safe user an API call acts as — its roles (Requestor/ISA) are the ceiling on what the key can do.
OAuth client credentials
Machine login: client_id+secret exchanged at /oauth2/token for a 1-hour Bearer — the only way into PRA’s APIs.
Connector (Event Forwarder)
Configuration > General > Connectors object shipping BeyondInsight events to syslog (CEF/LEEF/JSON) or Splunk HEC :8088.
Ticket system integration
Access-policy/Jump-Policy gate requiring a valid OPEN ITSM ticket before a release or session starts.
ISA role
Instant, approval-free retrieval (POST ISARequests). Treat ISA-capable API keys like master keys — scope and alert.
Identity Security Insights
BeyondTrust cloud ITDR — True Privilege Graph maps paths-to-privilege across AD, Entra ID, Okta, AWS, GCP, GitHub.
Entitle (JIT entitlements)
2024 acquisition — just-in-time cloud access that expires by itself; the standing-privilege killer in the Pathfinder platform.

📚 Sources

  1. BeyondTrust Docs — Configure SAML in BeyondInsight (Authentication Management > SAML Configuration; Entra ID + Okta walkthroughs; SHA1 assertions rejected). docs.beyondtrust.com/bips/docs/bi-authentication-security-provider · docs.beyondtrust.com/bips/docs/saml-entra-id
  2. BeyondTrust Docs — Password Safe + ServiceNow integration (ticket validation, Incident/Change/Problem flows, PS 22.2+, API-enabled accounts, requestor group). docs.beyondtrust.com/bips/docs/ps-snow
  3. BeyondTrust Docs — SNMP Trap & Syslog Event Forwarding + Splunk HTTP Event Collector connector (Configuration > General > Connectors; CEF/LEEF/JSON; HEC :8088). docs.beyondtrust.com/bips/docs/bi-snmp-trap-and-syslog-integration · docs.beyondtrust.com/bips/docs/bi-splunk-integration
  4. BeyondTrust Docs — BeyondInsight & Password Safe API usage + API registration (PS-Auth header, SignAppin 2FA challenge, key policies, IP / X-Forwarded-For rules). docs.beyondtrust.com/bips/reference/beyondinsight-and-password-safe-api-usage · docs.beyondtrust.com/bips/docs/ps-configure-api-registration
  5. BeyondTrust Docs — Privileged Remote Access API guide + Configuration API (OAuth client credentials at /login > Management > API Configuration; 1-hour tokens; 30-token cap; /api/config/v1). docs.beyondtrust.com/pra/reference/api-guide · docs.beyondtrust.com/pra/reference/pra-configuration-api
  6. NVD CVE-2024-12356 + The Hacker News — the Dec-2024 US Treasury incident via a stolen Remote Support SaaS API key (the API-hygiene case study). nvd.nist.gov/vuln/detail/cve-2024-12356 · thehackernews.com/2024/12/chinese-apt-exploits-beyondtrust-api.html
  7. BeyondTrust press — Entitle acquisition (JIT entitlements, 2024-04-16, 150+ integrations) + Pathfinder platform & Identity Security Insights True Privilege Graph. beyondtrust.com/press/beyondtrust-acquires-entitle · beyondtrust.com/press/pathfinder
  8. Wipro careers — BeyondTrust PAM architect JD (integration experience with 3+ platforms: AD, clouds, databases, network devices — the India job-market angle). careers.wipro.com/job/BeyondTrust-PAM-architect/72912-en_US/

What's next?

Integrations make the vault useful; availability keeps it alive. Next: U-Series HA pairs, Atlas clusters, cold-standby DR — and what actually happens when the appliance holding every password dies at 2 AM.

Next · Deployment, HA & DR: surviving failures → Practice on exam.techclick.in →