Remote Support
Traditional remote access methods such as RDP, VPN, and legacy remote desktop tools lack granular access management controls. These processes enable easy exploits via stolen credentials and session hijacking. Extending remote access to your vendors makes matters even worse.
BeyondTrust Remote Support enables organizations to apply least privilege and audit controls to all remote access from employees, vendors, and service desks. BlokSec provides users the ability to securely connect without the hassle of passwords or MFA. Both representatives and public portals are supported.
BlokSec integration for representatives
Section titled “BlokSec integration for representatives”Representatives authenticate to the BeyondTrust Remote Support console via SAML. Configuration is required in both BlokSec and BeyondTrust.
Prerequisites
Section titled “Prerequisites”- Installed BeyondTrust Remote Support instance
- Installed BlokSec instance
- BlokSec test users with mobile app installed
Create the application in BlokSec
Section titled “Create the application in BlokSec”Log in to BlokSec and follow the steps below.
- From the dashboard, click + Add Application
- Select Create from Template
- Select the BeyondTrust Remote Support and Privileged Remote Access for Representatives template
- On the Create Application screen:
- Replace
{your-instance-url}in the Entity ID and Assertion Consumer Service URLs with the URL of your BeyondTrust site (for example,eval######.beyondtrustcloud.comor your customer URL) - Set the NameID Source to
User email
- Replace
- Edit the Groups attribute and set the Value to the group name to be passed with the SAML assertion
- Submit the new application, then:
- Note the SSO URI
- View and save the X.509 Signing Certificate to a file (for example,
signing_cert.pem)
Configure SAML for representatives in BeyondTrust
Section titled “Configure SAML for representatives in BeyondTrust”Log in to BeyondTrust Remote Support and follow the steps below.
- Navigate to Users & Security → Security Providers, click + Add, and select SAML for Representatives
- Under Identity Provider Settings:
- Set Entity ID to
https://api.bloksec.io - Set Single Sign-On Service URL to the SSO URI provided by BlokSec (for example,
https://api.bloksec.io/sso/SingleSignOnService/{unique_ID}) - Click + Upload Certificate and upload the X.509 signing certificate downloaded from BlokSec
- Set Entity ID to
- Under Authorization Settings, choose the group to use for the Default Group Policy
Test the configuration
Section titled “Test the configuration”- In the BlokSec admin console, navigate to the newly created BeyondTrust Remote Support for Representatives application
- Click the settings icon and select Create Account
- Go to your BeyondTrust instance’s login page (for example,
https://eval######.beyondtrustcloud.com/login/login) and click Use SAML Authentication - Enter the username created in the previous step
- BlokSec sends a push notification to the user’s mobile app
- The representative reviews the request and approves it — the device performs a biometric authentication (fingerprint or facial recognition), and a digital signature is sent to BlokSec to verify the representative’s identity
- The representative is securely logged in to the BeyondTrust Remote Support console
BlokSec integration for public portals
Section titled “BlokSec integration for public portals”Public portals can be configured to require SAML authentication via BlokSec, so that end users accessing the portal are authenticated passwordlessly before starting a support session.
Prerequisites
Section titled “Prerequisites”- Installed BeyondTrust Remote Support instance
- Installed BlokSec instance
- BlokSec test users with mobile app installed
Create the application in BlokSec
Section titled “Create the application in BlokSec”Log in to BlokSec and follow the steps below.
- From the dashboard, click + Add Application
- Select Create from Template
- Select the BeyondTrust Remote Support Public Portal template
- On the Create Application screen:
- Replace
{your-instance-url}in the Entity ID and Assertion Consumer Service URLs with the URL of your BeyondTrust site (for example,eval######.beyondtrustcloud.comor your customer URL) - Set the NameID Source to
User email
- Replace
- Submit the new application, then:
- Note the SSO URI
- Save the X.509 Signing Certificate to a file (for example,
signing_cert.pem)
Configure SAML for public portals in BeyondTrust
Section titled “Configure SAML for public portals in BeyondTrust”Log in to BeyondTrust Remote Support and follow the steps below.
- Navigate to Users & Security → Security Providers, click + Add, and select SAML for Public Portals
- Under Identity Provider Settings:
- Set Entity ID to
https://api.bloksec.io - Set Single Sign-On Service URL to the SSO URI provided by BlokSec (for example,
https://api.bloksec.io/sso/SingleSignOnService/{unique_ID}) - Click + Upload Certificate and upload the X.509 signing certificate downloaded from BlokSec
- Set Entity ID to
Require SAML authentication on the public portal
Section titled “Require SAML authentication on the public portal”- Navigate to Public Portals → Public Sites and edit the site you want to protect with BlokSec
- Check the Require SAML Authentication box
- Click Save
Test the configuration
Section titled “Test the configuration”- In the BlokSec admin console, navigate to the newly created BeyondTrust Remote Support for Representatives application
- Click the settings icon and select Create Account
- Go to your BeyondTrust instance’s public site (for example,
https://eval######.beyondtrustcloud.com) and click Login - Enter the username created in the previous step
- BlokSec sends a push notification to the user’s mobile app
- The user reviews the request and approves it — the device performs a biometric authentication (fingerprint or facial recognition), and a digital signature is sent to BlokSec to verify the user’s identity
- The user is securely logged in to the BeyondTrust Remote Support portal