Configuring Nametag as a Delegate Identity Provider (IDP) for Beyond Identity

  • Published on Feb 7, 2026
  • 3 minute(s) read
  • e
 Prev Next

This guide explains how to integrate Nametag with Beyond Identity to sync users and add verified identity checks via Nametag during enrollment without changing existing authentication flows.

Overview

Nametag provides verified identity authentication using secure, government-issued ID verification. It enables organizations to verify users’ real-world identities quickly and safely, reducing fraud and improving risk while increasing trust in identity assertions.

This integration allows organizations to:

  • Synchronize users from Beyond Identity Directory into a Nametag tenant, and

  • Use Nametag as a delegate OIDC Identity Provider (IDP) during enrollment flows that are authorized through another IDP.

Once configured, users authenticating through your primary IDP can be additionally verified by Nametag during enrollment.

This configuration is managed primarily within:

  • Nametag Console

  • Beyond Identity Admin Console

Prerequisites

Before proceeding, ensure you have:

  • Administrative access to the Nametag Console

  • Administrative access to the Beyond Identity Admin Console

  • A working Beyond Identity tenant with Directory enabled

  • A working Nametag tenant

Recommended: Create a separate Nametag test environment before configuring in production.

Part 1 — Directory Synchronization

(Sync users from Beyond Identity into Nametag)


Step 1 — Select the correct Nametag environment

In Nametag Console:

  1. Confirm you are in the correct Nametag environment (Test or Production).

  2. If needed, create a new environment for testing.

Step 2 — Create a Beyond Identity Directory in Nametag

In Nametag Console:

  1. Navigate and click Configure.

    1.png

  2. Click Directories from the left-hand navigation.

    2-E.png

  3. Then, click Add a directory.

    3.png

  4. Then, select Beyond Identity from the list.

    4.png

  5. Stay on this page, you will need values from Beyond Identity in the next steps.

Step 3 — Create Outbound Provisioning in Beyond Identity

In Beyond Identity Admin Console:

  1. Click Integrations.

    5-e-3.png

  2. Select the Outbound Provisioning tab.

    6-e.png

  3. Select Nametag and click the install icon.

    click-nametag.png

Step 4 — Map Beyond Identity values into Nametag

You will now transfer values from Beyond Identity into Nametag.

  1. From the Beyond Identity Nametag application you just created, copy the following values and enter them into the Nametag Console directory configuration:

    Field

    Description

    Base URL

    API base URL for Beyond Identity

    Tenant ID

    Your Beyond Identity tenant ID

    Realm ID

    Your Beyond Identity realm ID

    Application ID

    Beyond Identity application ID in Nametag

    Client ID

    OAuth Client ID issued by Beyond Identity

    Client Secret

    OAuth Client Secret issued by Beyond Identity

  1. When you are done, click Save Changes.

    7.png

Step 5 — Connect and validate sync

In Nametag Console:

  1. Click Connect to Beyond Identity.

    8-e.png

  2. Confirm that identities from Beyond Identity are successfully synchronized into Nametag.

    9.png

Step 6 — Record the Nametag Directory Client ID

In Nametag Console:

  • Copy and save the Client ID associated with this directory.

  • You will need this in Part 2.

Part 2 — Configure Nametag as a Delegate IDP in Beyond Identity

This section enables Nametag to act as an OIDC identity provider within your existing IDP enrollment flow.

Step 1 — Add Generic OIDC Provider in Beyond Identity

In Beyond Identity Admin Console:

  1. Click Identity Providers from the left-hand navigation, then click Add Identity Provider.

    11.png

  2. In the dialog window, enter the following values:

    Field

    Value

    Display Name

    Nametag

    Client ID

    (Use the Client ID from Part 1, Step 6 — this is your Nametag Directory Client ID, not a new one)

    Client Secret

    Create a new API key in Nametag (see Step 2a below)

    Token Scopes

    openid

    PKCE

    Disabled

    Token URL

    https://nametag.co/oauth2/token

    Token Endpoint Auth Method

    client_secret_basic

    Authorization URL

    https://nametag.co/oauth2/authorize

    JWKS URL

    https://nametag.co/.well-known/jwks

    Identifying Attribute

    id

    Identifying Claim Name

    account.immutable_external_id

    Requested Claims

    {"id_token":{"account":null}}

    OAuth 2PAR

    Enabled

    PAR Endpoint

    https://nametag.co/oauth2/par

Step 3 — Generate Client Secret in Nametag

In Nametag Console:

  1. Navigate to OAuth → Create new API Key

    12.png

  2. Generate a new secret

  3. Copy only the secret (do not reuse the Client ID here)

  4. Return to Beyond Identity and paste this into Client Secret.

Step 4 — Save Configuration

In Beyond Identity Admin Console:

  1. Paste the Client Secret from the previous section.

  2. Click Save Changes.

    13.png

Step 5 — Register Redirect URI in Nametag

In Beyond Identity Admin Console:

  1. Copy the Redirect URI generated for this OIDC instance.

Then, in the Nametag Console:

  1. Go to OAuth settings

  2. Add this value as an Authorized Callback URL

Final State — What you now have

After completing these steps:

  • Users from Beyond Identity are synchronized into Nametag.

  • Nametag is registered as a delegate OIDC IDP.

  • You can now create enrollments that require Nametag verification during IDP authorization.

You are now ready to use Nametag as part of your identity proofing workflow.

Related articles