Bomgar Single Sign On Setup
Bomgar Software (Now known as BeyondTrust - Secure Remote Support) is remote support software that allows IT to share a user's screen and interact with their computer to perform support. Additionally Bomgar can push software and scripts to a target machine. Bomgar is used primarily in the Nevada region; however there is small deployment in the Bally's environment. Bomgar is not utilized by IT for internal support in IL, MT, PA, IN, and NE.
This article will focus on the Single Sign On (SSO) set up between Bomgar and Microsoft Entra (Azure).
Microsoft Entra SSO with SAML
Basic SAML Configuration
Attributes & Claims
- FirstName: user.givenname
- Username: user.userprincipalname
- LastName: user.surname
- Email: user.mail
- groups: user.groups
- Unique User Identifier: user.userprincipalname
SAML Certificate expires 12/20/2026
Items for Bomgar Set Up
Conditional Access Policy: BeyondTrust Bomgar MFA
- All SSO users are included
- Condition used to enforce is: Any location and all trusted locations excluded
- Trusted locations found in Entra / Azure Admin portal > Conditional Access > Named Locations. The location must have the 'Trusted' field set to 'Yes'
- All JJVG & GRO trusted locations (Public IPs) listed under 'JJVG Locations'
- To add a site to the Trusted Locations contact the Security Manager
- Session sign-in frequency is set to 1 Day
- Access is granted but MFA required
Active Directory Security Groups
SSO with Bomgar uses Active Directory (AD) security groups to provide and delegate access.
G_SSO_Bomgar_IT_Administrators
- Object ID: c6257182-e793-4beb-8c71-36fc64b35312
- Bomgar Group Name: IT Administrators
- Users perform configuration changes to the Bomgar deployment
G_SSO_Bomgar_IT_Helpdesk
- Object ID: 943b5223-3881-4d31-8211-c1a3a61857aa
- Bomgar Group Name: IT Help Desk
- Used by GRO & JJVG IT staff; access to all machines with Bomgar client installed
G_SSO_Bomgar_Dev
- Object ID: 6caccebe-fdee-4861-8414-1f0138314755
- Bomgar Group Name: Dev
- Used by Ardent and Golden Edge Developers
G_SSO_Bomgar_GRON
- Object ID: 6e39cd9d-2587-48d0-8081-29e8c9423789
- Bomgar Group Name: GRON
- Used by Northern route supervisors
G_SSO_Bomgar_GROS
- Object ID: 7b5a7416-a3fd-41f8-8e86-032ab4d38133
- Bomgar Group Name: GROS
- Used by Southern route supervisors
G_SSO_Bomgar_SalesN
- ObjectID: 92de8ed4-3173-476a-b1f7-519598404180
- Bomgar Group Name: SalesN
- Used by Sales / Marketing North
G_SSO_Bomgar_SalesS
- ObjectID: 46b622cf-6375-49e2-a679-17f2d794621f
- Bomgar Group Name: SalesS
- Used by Sales / Marketing South
G_SSO_Bomgar_Vendors
G_SSO_Bomgar_GEI
- Object ID: 38e31c3d-6ad2-42c3-bc96-15ab1662acf9
- Bomgar Group Name: PTEG Ardent
- Used by Golden Enterprise employees to access legacy systems
To Add a New Group
- Start Change Management process and receive approvals
- Create Security Group in On Premise AD
- Group should be create jjventures.lan > EndUsers > Groups > SSO Groups
- Naming convention: G_SSO_Bomgar_<Name of Bomgar Group ID>
- Give the group a description
- Add users, users should only be members of one Bomgar SSO group at a time
- Group will replicate to Entra/Azure AD
- Replicates every 15 minutes
- Replication can be forced from AADConnect1.jjventures.lan if needed immediately
- Add the group to the application in Entra/Azure : Enterprise Applications > Bomgar > Users and Groups > + Add user/group > None Selected > group name > Select > Assign.
- Add the group to the Conditional Access policy to enforce MFA: Microsoft Entra Conditional Access > Policies > BeyondTrust Bomgar MFA > Users > add the group under the 'Include' section and Save
- Locate the newly created group's object ID: Microsoft Entra ID > Groups > group name > Object ID
- Log into the Bomgar Administrative Console and add the Entra/Azure group. Users & Security > Security Providers > Edit the SAM Providers (AzureAD) > Authorization Settings > add AzureAD ObjectID of the group to the Available Groups
- Create the Bomgar Group ID (New Group Policy) and aassociate with the newly create Entra / Azure Group.
Change Log
Date
Changes
Author
2/20/2024
Original Document
Mark Gibson
6/28/2024
Added 'G_SSO_Bomgar_GEI' group information and updated Conditional Access settings
Mark Gibson