Integration Guide for Arista Wi-Fi with Okta SSO

  • Updated on Feb 10, 2026
  • Published on Nov 4, 2025
  • 4 minute(s) read
  • e
  • b
  • EA
 Prev Next

Introduction

This guide provides information on how to set up ARISTA Cloud for integration with OKTA SSO & Beyond Identity IdP as the first factor. (L3 Authentication)

Prerequisites

Ensure that you have the following:

  1. An Okta account with “Super” or “Organization” admin privileges to:

  2. ARISTA network admin account



okta Configuration for provisioning users in beyond identity

Step 1: Add Beyond Identity User Group

  1. Click on Directory > Group

  2. Click on Add Group

  3. Select fields as shown in the following image:

    1. Name: Beyond Identity

    2. Description: Beyond Identity Users Group

  4. Click Add Group


Step 2: Setup Beyond Identity Admin Application in Okta

  1. Click on Applications  > Add Application

  2. In Search window type Beyond Identity Admin

  3. Select App with title Beyond Identity Admin Portal.

  4. Click Add

  1. In the General Settings update following fields

    1. Application Label: Beyond Identity Admin Portal

    2. Click Done

  2. In the Assignment tab, assign Admins to this Application

  3. In the Sign On tab update following fields

    1. Click on Edit for settings

    2. Update Org ID field with Organization Id provided by Beyond Identity team

    3. Note down SSO Client ID and Client Secret field and provide it to Beyond Identity team

Step 3: Setup Admin Portal Access

  1. Provide Client ID and Client Secret assigned to Admin UI Application in Okta to Beyond Identity SE. Beyond Identity team will collect and configure this value

  2. Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration

    1. Name: Okta OIDC Integration

    2. Client ID: <Use the value recorded in the previous step>

    3. Client Secret: <Use the value recorded in the previous step>

    4. Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL)

    5. Token Field: sub

    6. Token Field Lookup: external_id

  3. After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console

Step 4: Setup Beyond Identity User Portal Application in Okta

  1. Click on Applications  > Add Application

  2. In Search window type Beyond Identity User

  3. Select App with title Beyond Identity User Portal

  4. Click Add

  1. Now you will see a pop up with following information

    1. General Settings

    2. Application Label: Beyond Identity User Portal

    3. Click Done

  2. In the Assignment Tab, click on Assign and  from the drop down the select Assign to Groups. Click on Assign button for the Beyond Identity group

  3. In the Sign On tab update following fields

    1. Click on Edit for settings

    2. Update Org ID field with Organization Id provided by Beyond Identity team.

    3. Note down SSO Client ID and Client Secret field and use it in the next step.

  4. In the Provisioning tab update the following fields

    1. Click on Configure API Integration

    2. Then click on Enable API Integration

    3. In the API token field paste the API token provided by Beyond Identity team. Then click on Test API Credentials

    4. After seeing message Beyond Identity User Portal was verified Successfully. Save the configuration

  5. After setting up SCIM in the above step, make following changes in the Provisioning tab

    1. In the Provisioning to App section, click on Edit

    2. For the Create Users, Update User Attributes and Deactivate Users click on Enable

    3. Save the changes by clicking on Save

  1. Make following changes in the Provisioning tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.

    1. In the Integration section, click on Edit

    2. Select Import Groups if it is not enabled by default.

    3. Save the changes by clicking on Save

Arista Configuration for  integration with Okta SSO & BI IdP

L3 Based WLAN Authentication

  1. Login to Arista Cloudvision WIFI

  2. Click on Configure > Wifi > Add SSID

  3. SSID Name: <SSID name> (Comes from customer)

  4. Profile Name: <Profile Name> (Comes from customer)

  5. Select SSID Type: Guest

  1. Click on the Security Tab > Select Security Level for Associations > Open

  2. No configuration needed on Networks tab for BI

  3. Click Captive Portal and from the drop down menu select Cloud Hosted

  1. Under Websites that users can access before login add auth.byndid.com and app.byndid.com as below

  1. Under Authentication Plugins and Quality of Service > Select Login Method for guest Wifi users.

  2. Click Social > Okta

  1. Under Okta Settings, configure client ID and Client secret and organizational domain.

Setting up test users

User Enrollment

  1. To enroll a user in the Beyond Identity experience, assign user to the Beyond Identity Group

    1. Click on Directory > Groups

    2. Select Beyond Identity group

    3. Click on Manage People

    4. Click on + sign next to user’s name in column titled Not Members

    5. Click Save

  1. Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider. See image below for reference:

  1. Each enrolled user will be asked to follow the two steps below:

    1. Step 1: Download the Beyond Identity Authenticator to their device

      1. When the user clicks View Download Options, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already

      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device

    2. Step 2: Register their Credential in the Beyond Identity IdP

      1. By clicking on Step 2 Register New Credential, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator

      2. See example image below:



User Authentication (Signing in)

  1. Each enrolled user can visit their Beyond Identity Admin Portal at https://admin.byndid.com

  2. The Okta application or SSO-supported application will ask the user to enter their username/password

  3. Click on the WiFi SSID and experience the Beyond Identity Passwordless secure logins



User Deprovisioning

  1. To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Group

    1. Click on Directory > Groups

    2. Select Beyond Identity group

    3. Click on Manage People

    4. Click on “-” sign next to user’s name in column titled Members

    5. Click Save

Related articles