Introduction

This guide provides information on how to:

• Set up Beyond Identity as a passwordless authentication solution for your Idaptive environment.

• Set up Idaptive to use Beyond Identity as an Identity IDP to federate authentication.

• Set up Idaptive as the source of truth for user identities.

  • Users will be created in Idaptive and as part of application provisioning SCIM provisioned to Beyond Identity tenant

Prerequisites

Ensure that you have the following:

1. An Idaptive account with system admin privileges to:

   1. Create/Modify/Delete users in Idaptive tenant.

   2. Create/Configure tenant.

   3. Create/Configure OpenID Connect Web applications.

   4. Create/Configure Federation Partner.

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

Information you will receive from the Beyond Identity Field Team

Idaptive Configuration

To configure Beyond Identity as the IdP in Idaptive, follow the steps below.

Step 2.1: Sign in as an administrator to Idaptive tenant

Sign into your Idaptive tenant with the admin identity and password.

Step 2.2: Create a custom suffix

“The login suffix is the part of the login name that follows the @ symbol. For example, if the login name is bob.jones@acme.com, the login suffix is “acme.com.”

In admin console navigate to Settings > Customization > Suffix > Add

1. Create a suffix (e.g. “passwordless.bi”). Whenever a user logs in with username@passwordless.bi, user will be federated to Beyond Identity for the passwordless experience.

2. The login suffix is used to identify the federation partners handling authentication. By creating a login suffix, we can roll out the passwordless solution in a phased manner. Start with a few users who will login with this suffix.

Step 2.3: Create roles for BI admin console and BI user console in Idaptive

The applications are mapped to roles and users are added to the roles. A user can be a member of many roles. Idaptive provisions users per application.

Create role by navigating to Core Services > Roles and click Add Role.

1. Create BI_Admins role for BI admin console application.

2. Create BI_Users role for BI user console application.

3. Use the Members panel > Add button to add users to the role.

Step 2.4: Setup Beyond Identity Admin Application in Idaptive

Sign in as administrator and navigate to Settings > Web Apps > Add Web Apps.

Choose custom and OpenId connect. Click Add

2.4.1 Settings panel

• Application ID: Use all lowercase, beyond_identity_admin_console

• Under Logo, click browser to upload Beyond Identity logo

• Note down the Application ID

2.4.2 Trust panel

• IDP configuration

  • Copy the client ID. You need this in setting up admin console SSO in BI.

  • OpenID connect client secret: Enter a secret value, you can generate your own. Copy the client secret, you need this in setting up admin console SSO in BI.

• Service Provider configuration

  • Resource application URL: BI admin console URL for example

https://admin.byndid.com/auth/?org_id=<bi_tenant> bi_tenant is your Beyond Identity tenant for example, acme.

• Click Add under “Authorized redirect URL” and enter

https://admin.byndid.com/auth/callback

2.4.3 Tokens panel

• Leave as defaults for the Policy panel, Account mapping panel, App Gateway panel, Linked applications panel, Workflow panel and Secure Web sessions panel

2.4.4 Provisioning panel

• Leave as defaults for this panel. The members of BI_Admins role can login with password to access BI admin console. This can be also controlled by using BI RBAC.

2.4.5 Assign beyond_identity_admin_console application to BI_Admins role

• Navigate to Core Services > Roles. Click on BI_Admins role

• Use Assigned Applications panel > Click the Add button to assign applications to the role.

• Assign beyond _identity_admin_console application.

• For the BI_Users role, assign beyond_identity_user_console

Step 2.5: Setup Beyond Identity Admin Console SSO in BI

1. Provide Client ID and Client Secret assigned to Admin console setup in Step 2.5, Trust panel configuration to Beyond Identity SE. The Beyond Identity team will collect and configure this value.

2. Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.

1. Name: Beyond-Identity-Admin-Console

2. Client ID: <Use the value recorded in Step 2.5>

3. Client Secret: <Use the value recorded in Step 2.5>

4. Issuer: https://<customer_id>.my.idaptive.app/<Application Id noted in Step 2.4.1>/

5. Token Field: sub

6. Token Field Lookup: external_id

3. After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console.

Step 2.6: Setup Beyond Identity User Console Application in Idaptive

Sign in as administrator and navigate to Settings > Web Apps > click Add Web Apps.

Choose custom and OpenId connect. Click Add

2.6.1 Settings panel

• Application ID: Use all lowercase, beyond_identity_user_console

• Under Logo, click browser to upload Beyond Identity logo

• Note down the Application ID

2.6.2 Trust panel

• IDP configuration

  • Copy the client ID. You need this in setting up admin console SSO in BI.

  • OpenID connect client secret: Enter a secret value, you can generate your own. Copy the client secret, you need this in setting up admin console SSO in BI.

• Service Provider configuration

  • Resource application URL: BI admin console URL for example

• https://user.byndid.com/auth-user/?org_id=<bi_tenant>

bi_tenant is your Beyond Identity tenant for example, acme.

• Click Add under “Authorized redirect URL” and enter

https://user.byndid.com/auth-user/callback

2.6.3 Tokens panel

• Leave as defaults for the Policy panel, Account mapping panel, App Gateway panel, Linked applications panel, Workflow panel and secure Web sessions panel

2.6.4 Provisioning panel

This panel is used to configure Beyond Identity SCIM endpoint URL and Beyond Identity tenant API token as the Bearer Token.

• Check Enable provisioning for this application

  • Select Live Mode

• SCIM service url: https://api.byndid.com/scim

• Authorization Type:

  • Select Authorization header

  • Header type: Bearer Token

  • Bearer Token: Get this token from BI SME

Click verify. This should connect to SCIM endpoint and gather configuration information to populate sync and deprovisioning options

• Role Mappings: Click Add and add BI_Users role with Bi_Users as the destination group. The Bi_Users group will be created on Beyond Identity Tenant

• Expand the Provisioning script and add the below script

if (source.Classification == 'User') {

 var nameBits = source.DisplayName.split(' ');

 destination.active = source.Status;

 destination.externalId = source.Uuid;

 destination.userName = source.Email;

 destination.displayName = source.DisplayName;

 destination.name = {

   'familyName': nameBits[nameBits.length - 1],

   'givenName': nameBits[0]

 };

 destination.emails = [{

   'type': 'work',

   'value': source.Email

 }];

}

if (source.Classification == 'Group') {

 var propArr = getSourcePropertyByName('name');

 if (propArr && propArr.Length) {

   destination.displayName = propArr[0];

 }

 destination.members = GetMemberList();

 // destination.id = '';

}

• On demand application provisioning, can be triggered by navigating to Settings > Users > Other > Outbound provisioning. Under Provisioning enabled applications, choose All enabled applications or a specific application. Click Start Sync button.

• You can also schedule synchronization daily for all enabled applications by specifying a start sync time.

2.6.5 Assign beyond_identity_user_console application to BI_Users role

• Navigate to Core Services > Roles. Click on BI_Users role

• Use Assigned Applications panel > Click the Add button to assign applications to the role.

• Assign beyond _identity_user_console application.

Step 2.7: Setup Beyond Identity User Console SSO in BI

1. Once logged into Beyond Identity Admin UI, click on Settings > SSO > User Console SSO Integration and click on Edit.

2. Please configure the following fields for User Console SSO Integration.

1. Name: Beyond-Identity-User-Console

2. Client ID: <Use the value recorded in step 2.7>

3. Client Secret: Use the value recorded in step 2.7>

4. Issuer:

5. https://<customer_id>.my.idaptive.app/<Application ID noted in Step 2.6.1>/

6. Token Field: sub

7. Token Field Lookup: external_id

3. Click on Save Changes.

3. Configuring Beyond Identity as the IDP federation partner in Idaptive

In Idaptive, Business Partner Federation establishes a trust relationship between the Service Provider (SP) and Identity Provider (IDP) using SAML tokens.

To add a partner navigate to Settings > Users > Partner Management and click on Add.

Set up the partner with the following configuration

3.1 Settings panel

• Partner Name: e.g. Beyond Identity

• Federation Type: SAML 2.0

• Federation Domain: suffix created earlier, e.g., “passwordless.bi”

• Click Save

3.2 Group Mappings panel

• Leave as default

3.3 Outbound Metadata panel

Click Option2:Download Service Provider Metadata. Give this file to BI SME.

Click Save

3.4 Inbound Metadata panel

Skip for now and after completing Step 4.1.1, you can come back to complete this step. The file required for this step is downloaded in Step 4.1.1. Choose Option 2: Upload IDP configuration from a file as shown below

3.5 Authentication panel

Map federated user to existing directory user: Required

Federated user mapping attribute: userprincipalname

Directory user mapping attribute: Uuid

Preferred Directory Service: CyberArk Cloud Directory

4. Setup Beyond Identity Console for User Authentication

1. Once logged into Beyond Identity Admin Console UI, click on Integrations tab and then click on SAML Connections.

2. Click on Add SAML Connection and update the fields as following:

   1. Name: Beyond Identity IDP

   2. Click Upload XML and upload file downloaded in Step 3.3

   3. Optional Attributes: Name: UserPrincipalname, Nameformat: unspecified, Value: ExternalId

   4. Optional Attributes:

      Name: EmailAddress, Nameformat: unspecified, Value: Email

   5. Optional Attributes:

      Name: DisplayName, Nameformat: unspecified, Value: UserName

   6. Click on Save Changes
      

3. In BI Admin Console, navigate to Integrations > SAML Connections > Beyond Identity IdP. Click Download Metadata button. This metadata file will be used in setting up a partner in Idaptive.

5. Setting Beyond Identity as MFA

Idaptive as of now only supports a restricted list of MFA providers and do not support integrating custom third party MFA providers

6. Setting up test users

6.1 User Enrollment

6.1.1 To enroll a user in the Beyond Identity experience

• Create a user using Idaptive admin console

• Add the user to BI_Users role for assigning BI user console or add to BI_Admin for assigning BI admin console.

• The application provisioning should provision the user to BI tenant

• Provisioned users will get an enrollment mail from BI

6.1.2 Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.

1. See image below for reference:

6.1.3 Each enrolled user will be asked to follow the two steps below:

2. Step 1: Download the Beyond Identity Authenticator to their device.

   1. When the user clicks View Download Options, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.

   2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not, yet a user credential associated with the Authenticator on that device.

3. Step 2: Register their Credential in the Beyond Identity IdP.

   1. By clicking on Step 2 Register New Credential, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.

   2. See example image below:

6.2 User Authentication (Signing in)

• Access Idaptive tenant URL for example, https://<customer_id>.my.idaptive.app/my

• Login with the federated user suffix, e.g. regu.rajaiah@beyondidentity.com, click next

• This will trigger the passwordless experience with BI authenticator and show Idaptive user portal listing the assigned applications for the user

6.3 User Deprovisioning

To deprovision a user from the Beyond Identity experience, remove the user from the appropriate role in Idaptive