Troubleshooting Windows Desktop Login with Biometric/PIN

  • Updated on Feb 10, 2026
  • Published on Nov 4, 2025
  • 7 minute(s) read
  • EA
 Prev Next

Introduction

This guide provides information on how to:

  • Set up Beyond Identity to provision the users from OKTA SSO.

  • Set up MIST Cloud for direct integration with Beyond Identity SSO/IdP as the first factor. (L3 Authentication)

  • Set up MIST Cloud for direct integration with Beyond Identity SSO/IdP as the second factor. (L2 Authentication with dot1x + L3 passwordless authentication with Beyond Identity)

Prerequisites

Ensure that you have the following:

  1. An Okta account with “Super” or “Organization” admin privileges to:

  2. MIST Cloud super user or Network admin account.

Okta Configuration for provisioning users in beyond identity

Step 1: Add Beyond Identity User Group

  1. Click on Directory-> Group

  2. Click on Add Group

  3. Select fields as shown in the following image:

    1. Name: Beyond Identity

    2. Description: Beyond Identity Users Group

  4. Click Add Group.

Step 2: Setup Beyond Identity Admin Application in Okta

  1. Click on Applications -> Add Application

  2. In Search window type Beyond Identity Admin

  3. Select App with title Beyond Identity Admin Portal.

  4. Click Add.

  1. In the General Settings update following fields

    1. Application Label: “Beyond Identity Admin Portal”

    2. Click Done.

  2. In the Assignment Tab Assign “Admins” to this Application.

  3. In the Sign On tab update following fields.

    1. Click on Edit for settings.

    2. Update Org ID field with Organization Id provided by Beyond Identity team.

    3. Note down SSO Client ID and Client Secret field and provide it to Beyond Identity team.

Step 3: Setup Admin Portal Access

  1. Provide “Client ID” and “Client Secret” assigned to Admin UI Application in Okta to Beyond Identity SE. Beyond Identity team will collect and configure this value.

  2. Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.

    1. Name: Okta OIDC Integration

    2. Client ID: <Use the value recorded in the previous step>

    3. Client Secret: <Use the value recorded in the previous step>

    4. Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL)

    5. Token Field: sub

    6. Token Field Lookup: external_id

  3. After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console.

Step 4: Setup Beyond Identity User Portal Application in Okta

  1. Click on Applications -> Add Application

  2. In Search window type “Beyond Identity User

  3. Select App with title “Beyond Identity User Portal”.

  4. Click Add.

  1. Now you will see a pop up with following information.

    1. General Settings

    2. Application Label: Beyond Identity User Portal

    3. Click Done.

  2. In the Assignment Tab, click on “Assign” and  from the drop down the select “Assign to Groups”. Click on “Assign” button for the “Beyond Identity” group.

  3. In the Sign On tab update following fields.

    1. Click on Edit for settings.

    2. Update Org ID field with Organization Id provided by Beyond Identity team.

    3. Note down SSO Client ID and Client Secret field and use it in the next step.

  4. In the Provisioning tab update the following fields.

    1. Click on Configure API Integration.

    2. Then click on Enable API Integration.

    3. In the API token field paste the API token provided by Beyond Identity team. Then click on Test API Credentials.

    4. After seeing message “Beyond Identity User Portal was verified Successfully”, save the configuration.

  5. After setting up SCIM in the above step, make following changes in the Provisioning tab.

    1. In the Provisioning to App section, click on Edit.

    2. For the Create Users, Update User Attributes and Deactivate Users click on Enable.

    3. Save the changes by clicking on Save.

  1. Make following changes in the Provisioning tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.

    1. In the Integration section, click on Edit.

    2. Select Import Groups if it is not enabled by default.

    3. Save the changes by clicking on Save.

MIST Configuration for Direct integration with BI sso/idp

Step 1: SAML configuration on BI Admin Console:

  1. Login to BI Admin console

  2. Click on Integrations > SAML > Add SAML Connection

  3. Name: <SSID name> (Comes from customer)

  4. SP Single Sign On URL: www.test.com

  5. SP Audience URI: www.test.com

  6. Name ID format: emailAddress

  7. Subject User Attribute: UserName

  8. Signed Response: SIGNED

  9. Save changes.

  1. Note down the IdP Single Sign-On URL and IdP Issuer URL.

  2. Download the IdP Signature Certificate and save it to your local machine.

STEP 2: Configuring WLAN on the MIST Dashboard

  1. Login to https://manage.mist.com using network admin privileges.

  2. Go to Network > WLAN > Add WLAN

  3. Put the network name provided by the customer in the SSID. Ex: Beyond Identity.

  4. In the Security section select Open access.

  1. In the Guest Portal select SSO with Identity Provider (Sample Configuration below)

    1. In the issuer field paste the IdP Issuer copied from STEP 1.

      (https://auth.byndid.com/saml/v0/<IdPid>/sso/metadata.xml)

    2. Name ID Format: Email

    3. Signing Algorithm: SHA256

    4. Certificate: Paste the contents of the Certificate downloaded in STEP 1.

    5. SSO URL: Paste the IdP SSO URL from STEP 1.

      (https://auth.byndid.com/saml/v0/b36a4852-925b-45fa-be11-a813b3e4e00c/sso)

    6. Devices remain authorized for (Network Admin defined)

    7. Check After authorization redirect to URL: Enter the URL defined by the customer e.g. https://www.beyondidentity.com

    8. Allowed hostnames: .byndid.com (begins with dot)

    9. Leave Portal SSO URL empty. (This is filled up after WLAN is created)

    10. Uncheck Bypass guest/external portal in case of exception checkbox.

    11. Click Create.

  1. Once the WLAN is created Mist cloud generates a portal SSO URL entry. Click on the newly created WLAN and copy the Portal SSO URL from the Guest Portal section. (e.g. https://portal.mist.com/saml/4848442e-136d-4333-bb69-2e20fb1e6826/login)

STEP 3: Update the BI SAML configuration

  1. Login to BI Admin console

  2. Click on Integrations > SAML > SAML Integration created in STEP 1>

  3. Click on Edit.

  4. Update SP Single Sign On URL with new Portal SSO URL from step 6 above.

  5. Update SP Audience URI with the same Portal SSO URL from step 6 above.

  6. Click on Save.


MIST Configuration for setting bi sso/idp as a second factor

(1st factor dot1x) (L2 + L3 Authentication)

Step 1: SAML configuration on BI Admin Console:

  1. Login to BI Admin console

  2. Click on Integrations > SAML > Add SAML Connection

  3. Name: <SSID name> (Comes from customer)

  4. SP Single Sign On URL: www.test.com

  5. SP Audience URI: www.test.com

  6. Name ID format: emailAddress

  7. Subject User Attribute: UserName

  8. Signed Response: SIGNED

  9. Save changes.

  1. Note down the IdP Single Sign-On URL and IdP Issuer URL.

  2. Download the IdP Signature Certificate and save it to your local machine.

STEP 2: Configuring WLAN on the MIST Dashboard

  1. Login to https://manage.mist.com using network admin privileges.

  2. Go to Network > WLAN > Add WLAN

  3. Put the network name provided by the customer in the SSID. Ex: Beyond Identity.

  4. In the Security section select WPA-2/EAP (802.1x)

  5. Go to RADIUS Authentication Servers and Add server

    1. Add the RADIUS Server IP/hostname

    2. Make sure the shared secret is the same as the one configured on the RADIUS server side.

  1. In the Guest Portal select SSO with Identity Provider (Sample Configuration below)

    1. In the issuer field paste the IdP Issuer copied from STEP 1.

      (https://auth.byndid.com/saml/v0/<IdPid>/sso/metadata.xml)

    2. Name ID Format: Email

    3. Signing Algorithm: SHA256

    4. Certificate: Paste the contents of the Certificate downloaded in STEP 1.

    5. SSO URL: Paste the IdP SSO URL from STEP 1.

      (https://auth.byndid.com/saml/v0/b36a4852-925b-45fa-be11-a813b3e4e00c/sso)

    6. Devices remain authorized for (Network Admin defined)

    7. Check After authorization redirect to URL: Enter the URL defined by the customer e.g. https://www.beyondidentity.com

    8. Allowed hostnames: .byndid.com (begins with dot)

    9. Leave Portal SSO URL empty. (This is filled up after WLAN is created)

    10. Uncheck Bypass guest/external portal in case of exception checkbox.

    11. Click Create.

  1. Once the WLAN is created Mist cloud generates a portal SSO URL entry. Click on the newly created WLAN and copy the Portal SSO URL from the Guest Portal section. (e.g. https://portal.mist.com/saml/4848442e-136d-4333-bb69-2e20fb1e6826/login)

STEP 3: Update the BI SAML configuration

  1. Login to BI Admin console

  2. Click on Integrations > SAML > <SAML Integration created in STEP 1>

  3. Click on Edit.

  4. Update SP Single Sign On URL with new Portal SSO URL from step 6 above.

  5. Update SP Audience URI with the same Portal SSO URL from step 6 above.

  6. Click on Save.

Graphical user interface, text, application Description automatically generated

Setting up test users

User Enrollment

  1. To enroll a user in the Beyond Identity experience, assign user to the “Beyond Identity” Group.

    1. Click on Directory -> Groups

    2. Select Beyond Identity group.

    3. Click on Manage People.

    4. Click on “+” sign next to user’s name in column titled “Not Members”.

    5. Click Save.

  1. Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.

    See image below for reference:

  1. Each enrolled user will be asked to follow the two steps below:

    1. Step 1: Download the Beyond Identity Authenticator to their device.

      1. When the user clicks View Download Options, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.

      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.

    2. Step 2: Register their Credential in the Beyond Identity IdP.

      1. By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator.

      2. See example image below:

User Authentication (Signing in)

  1. Each enrolled user can visit their Beyond Identity Admin Portal at https://admin.byndid.com

  2. The Okta application or SSO-supported application will ask the user to enter their username/password

  3. Click on the WiFi SSID and experience the Beyond Identity Passwordless secure logins.

User Deprovisioning

To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Group.

  1. Click on Directory > Groups

  2. Select Beyond Identity group.

  3. Click on Manage People.

  4. Click on “-” sign next to user’s name in column titled Members.

  5. Click Save.


Related articles