This article provides step-by-step instructions for configuring Beyond Identity User and Admin Portal access via Okta, including SCIM provisioning, SSO integration using OIDC or SAML, and user authentication workflows.
To set up the BI User Portal, follow the steps below.
In the Okta portal, navigate to Applications > Applications > Browse App Catalog.
In the Search window, type Beyond Identity User.
Select the Beyond Identity User Portal app.
Click Add.
Under General Settings, update the following:
In the Application Label, type Beyond Identity User Portal.
Click Done.
In the Assignment tab, click Assign and select Assign to Groups from the drop-down.
Click Assign for the Beyond Identity group.
In the Sign On tab, update the following fields.
Click Edit for settings.
Update the Org ID field with Organization Id provided by Beyond Identity team. This is the name of your Beyond Identity tenant.
Note the SSO Client ID and Client Secret values, and save these in a secure external document. You will use these values in the next section.
Click Save.
In the Provisioning tab, update the following fields.
Click Configure API Integration.
Click Enable API Integration.
Move over to the Beyond Identity Admin Console to generate an API token,
Go to Settings > API Access > click Create Client Credentials
Name the Client Credential, and only select the SCIM values for the allowed scopes:
Set the Credential Expiration.
Note: this value is in seconds.
Click Create Client Credentials
Click on your newly created credential to generate a token for this credential.
Click on Tokens
Click Create token
Name the Token Okta API Token and click create token.
Note: Click the copy icon and save this token in a secure location, this is the only opportunity you have to see the full token value.
Move back over to the Okta Admin Console, in the API token field, paste the API token you generated in the previous step.
Click Test API Credentials.
Select Import Groups if it is not enabled by default. (This is only available in Okta Production instances and not in Developer or Preview instances.)
After seeing the message, “Beyond Identity User Portal was verified Successfully”, save the configuration.
After setting up your API SCIM configuration in the above step, make the following changes in the Provisioning tab.
In the Provisioning to App section, click Edit.
Click Enable beside
Create Users
Update User Attributes
Deactivate Users
Click Save.
Make the following changes in the Provisioning tab.
Note: This step only applies to Okta Production instances, not Developer or Preview instances.
In the Integration section, click Edit.
Select Import Groups if it is not enabled by default.
Click Save.
To sync groups with Beyond Identity:
Select the Push Groups tab.
Click the Push Groups drop-down and select Find groups by name. This defines which groups are synced with Beyond Identity. Add your Beyond Identity Group to this section and click Save.
With the above steps completed, verify your user is now populated in the Beyond Identity Admin Console. These should now be populated via SCIM.
Setup the User Portal Access in Beyond Identity
Log into the Beyond Identity Admin console.
Navigate to Settings > Console Login > User Console SSO Integrations and click Add Active SSO.
Select the drop-down beside Active SSO and choose whether to use OIDC or SAML for the SSO. For this integration, we recommend using OIDC
Click Save Changes.
Configure the fields for the SSO type for User Console SSO Integrations and then click Save Changes.
OIDC Connection
OIDC Option
Specify the following
Name
Okta OIDC SSO
Client ID
<Use the value copied in the previous section>
Client Secret
<Use the value copied in the previous section>
Issuer
https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember not to have a trailing slash after issuer URL)
Token Field
sub
Token Field Lookup
external id
Scopes
Select all [Alternately select Profile , email] - Optional
SAML Connection
SAML Option
Specify the following
Name
Okta SAML SSO
IDP URL
<SAML SSO service URL>
IDP Entity ID
<SAML request URL>
Name ID Format
unspecified (unless the IDP requires a different value)
Subject User Attribute
Option varies based on the Beyond Identity attribute
Request Binding
Binding for the outgoing AuthnRequest
X509 Signing Certificate
Upload the public key certificate of the IDP used to verify SAML assertions
.png)
Setup the Beyond Identity Admin Application in Okta
In the Okta portal, navigate to Applications > Applications > Browse App Catalog.
In the Search window, type Beyond Identity Admin.
Click the Beyond Identity Admin Portal app.
Click Add.
In the Assignment tab, assign Admins to this Application.
In the Sign On tab, update the following.
Click Edit for settings.
Update the Org ID field with the Organization ID provided by Beyond Identity.
Note the SSO Client ID and Client Secret fields. You will use them in the following section.
Setup Admin Portal Access in Beyond Identity
In the Beyond Identity Admin console, navigate to Settings > Console Login > Admin Console SSO Integrations.
Click Add Active SSO.
Select the drop-down beside Active SSO and choose whether to use OIDC or SAML for the SSO. For this integration, we recommend using OIDC
Click Save Changes.
Configure the fields for the SSO type for Admin console SSO Integrations and then click Save Changes.
OIDC Connection
OIDC Option
Specify the following
Name
Admin Console SSO - Okta
Client ID
<Use the value copied in the previous section>
Client Secret
<Use the value copied in the previous section>
Issuer
https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember not to have a trailing slash after issuer URL)
Token Field
sub
Token Field Lookup
external id
Scopes
Select all [Alternately select Profile , email] - Optional
SAML Connection
SAML Option
Specify the following
Name
Admin Console SSO - SAML
IDP URL
<SAML SSO service URL>
IDP Entity ID
<SAML request URL>
Name ID Format
unspecified (unless the IDP requires a different value)
Subject User Attribute
Option varies based on the Beyond Identity attribute
Request Binding
Binding for the outgoing AuthnRequest
X509 Signing Certificate
Upload the public key certificate of the IDP used to verify SAML assertions
Assign a user to an Admin role so they can access the Beyond Identity Admin console.
Select the Console Access Control tab.
Click on the predefined Super Administrators role.
Click Assign Access role to users and select a user from the drop-down.
Click Assign users to role.
Note: You could also assign user groups to Admin roles. To do so, select the Groups tab for the predeefined admin role, click Assign access role to groups, select a group, and then click Assign groups to role.
After these values are provisioned, the user or a group member assigned to the Super Administrator role should log in and confirm that they have access to the Beyond Identity Admin console through the Okta SSO.
User Authentication (Signing in)
Enrolled users can visit their Okta instance or any application supported by your SSO to sign into their corporate applications.
The Okta application or SSO-supported application will ask the user to enter their username.
Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.