Bomgar/BeyondTrust relying party?

Herron, Joel D herronj at
Fri Oct 14 13:37:34 UTC 2022

We are allowing their release of the persistent nameID which is just our standard persistent ID (a sha1 hash of a salted UUID). As well I’m releasing:
uid, displayName, mail and groupMembership (for authorization in BT)

I’m doing nothing special in relying party or in their metadata, was a really easy setup from what I recall.

Hope that helps,


From: users <users-bounces at> on behalf of IAM David Bantz via users <users at>
Date: Thursday, October 13, 2022 at 2:40 PM
To: Shib Users <users at>
Cc: IAM David Bantz <dabantz at>
Subject: Bomgar/BeyondTrust relying party?
Have you successfully configured Bomgar (BeyondTrust) for SSO via your Shibb IdP ?

Bomgar (BeyondTrust)  has a GUI for SAML SSO integration that is mostly clear and straightforward,
but seemingly appropriate SAML assertions trigger “Authentication Failed” message at the service
(with no further details).

Incoming SAML request specifies a nameid-format:persistent (not mentioned in the GUI) so
I configured release of nameID based on uid (unscoped username) and ePPN (same username,<>)
with the requested format. Neither alternative produced anything further than “Authentication Failed” at the service.
Support has so far been less than useless. Perhaps you know an additional unmentioned requirement or trick?

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list