Integrating Trusona and BeyondTrust

This guide details the steps required to configure Trusona as a passwordless authentication solution with BeyondTrust Password Safe.

By John Mulhern
Updated Jan 7, 2021

• 1. Getting started
  • 1.1. Generate Service Provider Certificate
  • 1.2. Email Trusona
  • 1.3. Returned by Trusona
• 2. Configuration
  • 2.1. Service Provider configuration
  • 2.2. Partner Identity Provider configuration
  • 2.3. Partner IdP configuration
  • 2.4. Trusona login page
• 3. Testing the integration

1. Getting started

1.1. Generate Service Provider Certificate

1. Create a personal information exchange (.pfx) certificate and a public certificate for the BeyondInsight service provider.
2. Place them both in the following folder on the UVM: C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
3. Save a copy of the public certificate to send to Trusona

1.2. Email Trusona

Send an email to support@trusona.com with the following information:

Subject: BeyondTrust Integration

• Required:
  • Service Provider public certificate
  • Company name

1.3. Returned by Trusona

Trusona will send you the following via email:

• Single Sign-on Service URL
• Single Logout Service URL
• Partner Certificate File
• Trusona login page

2. Configuration

2.1. Service Provider configuration

1. Login to the BeyondTrust server
2. Copy Trusona’s Partner Certificate File (trusona.cer) to C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
3. Open saml.config located at C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config
4. Edit the <ServiceProvider> entry to match the following:

  <ServiceProvider Name="https://[YOUR HOST NAME]/eEye.RetinaCSSAML"
                   Description="BeyondTrust Service Provider"
                   AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx"
                   LocalCertificateFile="Certificates\sp.pfx"
                   LocalCertificatePassword="[YOUR CERTIFICATE PASSWORD]"/>

2.2. Partner Identity Provider configuration

1. Copy the Partner Certificate file received from Trusona to C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates\trusona.crt
2. Edit saml.config, to add the following:

  <PartnerIdentityProviders>
    <!-- Trusona -->
    <PartnerIdentityProvider Name="https://gateway.trusona.net/saml/metadata"
                             Description="Trusona"
                             SignAuthnRequest="true"
                             SignLogoutRequest="true"
                             WantSAMLResponseSigned="false"
                             WantAssertionSigned="true"
                             WantAssertionEncrypted="false"
                             WantLogoutResponsesSigned="true"
                             SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             SingleSignOnServiceUrl="https://[Single Sign-on Service URL provided by Trusona]"
                             SingleLogoutServiceUrl="https://[Single Logout Service URL provided by Trusona]"
                             PartnerCertificateFile="Certificates\trusona.crt"/>
  </PartnerIdentityProviders>

2.3. Partner IdP configuration

1. Open the web.config file located at C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config
2. Edit the PartnerIdP key and set it to the following:

<add key="PartnerIdP" value="https://gateway.trusona.net/saml/metadata" />

Save web.config and saml.config and restart the BeyondTrust service.

2.4. Trusona login page

1. Copy the Trusona login page received from Trusona to C:\inetpub\wwwroot
2. Name the file homepage.html

3. Testing the integration

1. Visit https://[YOUR HOST NAME]/homepage.html
2. Click on the Login with Trusona Button
3. Scan the TruCode with the Trusona App
4. Accept the Trusonafication

You’ve been logged in!

---