Skip to content
BlokSec Docs

Privileged Remote Access

Traditional remote access methods such as RDP, VPN, and legacy remote desktop tools lack granular access management controls. These processes enable easy exploits via stolen credentials and session hijacking. Extending remote access to your vendors makes matters even worse.

BeyondTrust Privileged Remote Access enables organizations to apply least privilege and audit controls to all remote access from employees, vendors, and service desks. BlokSec provides users the ability to securely connect without the hassle of passwords or MFA.

Prerequisites

Section titled “Prerequisites”
  • Installed BeyondTrust Privileged Remote Access instance
  • Installed BlokSec instance
  • BlokSec test users with mobile app installed

Create the Privileged Remote Access application in BlokSec

Section titled “Create the Privileged Remote Access application in BlokSec”

Log in to BlokSec and follow the steps below.

  1. From the dashboard, click + Add Application
  2. Select Create from Template
  3. Select the BeyondTrust Remote Support and Privileged Remote Access for Representatives template
  4. On the Create Application screen:
    • Replace {your-instance-url} in the Entity ID and Assertion Consumer Service URLs with the URL of your BeyondTrust site (for example, eval######.beyondtrustcloud.com or your customer URL)
    • Set the NameID Source to User email
  5. Edit the Groups attribute and set the Value to the group name to be passed with the SAML assertion
  6. Submit the new application, then:
    • Note the SSO URI
    • View and save the X.509 Signing Certificate to a file (for example, signing_cert.pem)

Configure the SAML identity provider in BeyondTrust

Section titled “Configure the SAML identity provider in BeyondTrust”

Log in to BeyondTrust Privileged Remote Access and continue with the steps below.

  1. Navigate to Users & SecuritySecurity Providers, click + Add, and select SAML2
  2. Under Identity Provider Settings:
    • Set Entity ID to https://api.bloksec.io
    • Set Single Sign-On Service URL to the SSO URI provided by BlokSec when the application was created (for example, https://api.bloksec.io/sso/SingleSignOnService/{unique_ID})
    • Click + Upload Certificate and upload the X.509 signing certificate downloaded from BlokSec
  3. Under Authorization Settings, choose the group to use for the Default Group Policy

Test the configuration

Section titled “Test the configuration”

  1. In the BlokSec admin console, navigate to the newly created BeyondTrust Privileged Remote Access application

  2. Click the settings icon and select Create Account

  3. Go to your BeyondTrust instance’s login page (for example, https://eval######.beyondtrustcloud.com/login/login) and click Use SAML Authentication

  4. Enter the username created in the previous step

  5. BlokSec sends a push notification to the user’s mobile app

  6. The user reviews the request and approves it — the device performs a biometric authentication (fingerprint or facial recognition), and a digital signature is sent to BlokSec to verify the representative’s identity

  7. The representative is securely logged in to the BeyondTrust Privileged Remote Access console