Introduction
This guide provides information on how to:
Set up Beyond Identity as a passwordless authentication solution for your OneLogin environment.
Set up OneLogin to use Beyond Identity as an Identity Provider.
Prerequisites
Ensure that you have the following:
A OneLogin workforce SKU Advanced or Pro bundle. This SKU is required for setting up provisioning and configuring the BI Authenticator as an authentication factor.
A OneLogin account with “Superadmin” privileges.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your OneLogin Instance URL e.g. https://[your-domain].onelogin.com | |
Beyond Identity Admin Console Application credentials SSO Client Id SSO Client Secret | |
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret | This will be updated by the customer directly using the Beyond Identity Admin Console. |
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint Userinfo endpoint | https://auth.byndid.com/v2/authorize |
Client ID | [From Beyond Identity Console] |
Client Secret | [From Beyond Identity Console] |
SCIM API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
SCIM API endpoint |
OneLogin Configuration
To configure Beyond Identity as the IdP in OneLogin, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Step 3: Setup Beyond Identity Admin Console Application in OneLogin
Click on Applications -> Applications -> Add Application
In Search window type “Beyond Identity Admin Console”
Select App with title “Beyond Identity Admin Console”.
Click Save.
In the “Configuration” section, update following fields
Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
Redirect URI’s: https://admin.byndid.com/auth/callback
In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
Step 4: Setup Admin Console Access
Provide “Client ID” and “Client Secret” assigned to Admin Console Application in OneLogin to Beyond Identity SE. The Beyond Identity team will collect and populate those values using BI admin console
After these values are provisioned, login and confirm that admin has access to Beyond Identity Admin Console.
Step 5: Setup Beyond Identity User Console Application in OneLogin
Click on Applications -> Add Application
In Search window type “Beyond Identity User Console”
Select App with title “Beyond Identity User Console”.
Click Save.
In the “Configuration” section, update following fields
Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
Redirect URI’s: https://user.byndid.com/auth-user/callback
API Connection > API Status > Enabled
SCIM Bearer Token: <Provided_by_Beyond_Identity>
In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
In the “Provisioning” section, select “Enable provisioning”
Step 6: Setup Beyond Identity User Portal Authentication
Once logged into Beyond Identity Admin Console, click on Settings.
Click on SSO tab in User Console SSO Integration > Add OIDC SSO
Update Name, Client Id, Client Secret (from the previous step) and Issuer.
Enter issuer as “https://[your_domain].onelogin.com/oidc/2”
Enter Token Field as sub and select Token Field Lookup as external_id.
Click Save Changes
Step 7: Setup Beyond Identity for User Authentication:
Once logged into Beyond Identity Admin Console, click on the Integrations tab and then click on OIDC Clients.
Click on Add OIDC Client and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
Enter https://[your_domain].onelogin.com/access/idp as the Redirect URIs
Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
Step 8: Configure Beyond Identity as the Identity Provider
In the main OneLogin menu, select “Authentication”.
In the “Authentication” drop-down, select “Trusted IdPs”.
On the “Trusted IdPs” page, click “New Trust”.
Enter the following information:
Name: Beyond Identity
Scroll down and select Protocol: OAUTH
Enable Trusted IDP [enable this only after selecting the Protocol OAUTH]
Enable Show in Login panel
Login icon:
https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png
Issuer: https://auth.byndid.com/v2
Enable “Sign users into OneLogin”
Enable “Sign users into additional applications”
Enable “Send Subject Name ID or Login Hint in Auth Request”
User Attribute Mapping: Email
Authentication Endpoint: https://auth.byndid.com/v2/authorize
Token Endpoint Auth Method: POST
Token endpoint: https://auth.byndid.com/v2/token
User Information Endpoint: https://auth.byndid.com/v2/userinfo
Scopes: opened email
Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
Click “Save”
Step 9: Set up Routing Rules
Set up the IdP as the default Trusted IdP by selecting the IdP and clicking on More Actions.
Otherwise, click on individual users, and select the IdP under the Authentication tab.
Step 10: Set up BI as the Trusted IDP for specific groups
BI as the trusted IDP can be assigned at the user level or based on a mapping condition. The mapping condition can be based on any user attribute, for example department, role, or group, etc. The example below shows creating a mapping based on a condition “department=testing”. If the condition matches, the group, and user trusted IDP is set.
Login to onelogin admin console as administrator. Navigate to Users > Groups. Click on New Group.
Enter “bi-trusted-idp” as the name and click Save.
Navigate to Users > Mapping. Click on New Mapping.
Enter “bi-trusted-idp” as the name of the mapping. In the conditions drop-down, choose “department”. In the middle drop-down, choose “equals”. Enter “testing” in the text box under “Conditions”.
Under “Actions”, Choose “Set group” in the first drop-down and choose “bi-trusted-idp” in the second drop-down. Click on the 
Step 11: Create a Role
Create a Role “Beyond Identity” and add the 2 applications “Beyond Identity Admin Console” and “Beyond Identity User Console” to it.
Click on Users > Roles > New Role
Name it “Beyond Identity”
Click on the 2 apps listed under “Select Apps to Add”
Click on Save
Setting BI as an onelogin authentication factor [to be used as MFA] - Optional
Step 1: Setup Beyond Identity OIDC client for onelogin MFA:
Once logged into Beyond Identity Admin Console, click on the Integrations tab and then click on OIDC Clients.
Click on Add OIDC Client and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
Enter https://nopwd.onelogin.com/mfa/v1/idp/auth_callback as the Redirect URIs
Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
Step 2: Configure Beyond Identity as the Identity Provider
In the main OneLogin menu, select “Authentication”.
In the “Authentication” drop-down, select “Trusted IdPs”.
On the “Trusted IdPs” page, click “New Trust”.
Enter the following information:
Name: Beyond Identity
Scroll down and select Protocol: OAUTH.
Enable “Trusted IDP” [enable this only after selecting the Protocol OAUTH]
Issuer: https://auth.byndid.com/v2
Enable “Sign users into OneLogin”
Enable “Sign users into additional applications”
Enable “Send Subject Name ID or Login Hint in Auth Request”
User Attribute Value: {tidp.sub}
User Attribute Mapping: Username
Authentication Endpoint: https://auth.byndid.com/v2/authorize
Token Endpoint Auth Method: POST
Token endpoint: https://auth.byndid.com/v2/token
User Information Endpoint: https://auth.byndid.com/v2/userinfo
Scopes: openid
Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
Click Save
Step 3: Create BI as an authentication factor in onelogin
Login to Onelogin admin console as administrator.
Navigate to Security > Authentication Factors
Click on New Auth Factor
In the Select a Strong Authentication Factor screen, click on Trusted Idp as a Factor
In the “Add Trusted IdP as Factor” screen, enter a description for user description and choose the trusted IDP created in step 1 above.
Click on Save
Step 4: Create onelogin security policy with MFA factor set to BI trusted IDP
Login to onelogin admin console as administrator.
Navigate to Security > Policies.
Click on New User Policy
Enter “bi-second-factor” as the name of the policy. In “Login Flow” blade, choose Standard
In the “MFA” blade, select OTP Auth required and Trusted IDP as factor and others as shown below.
Under “Enforcement settings”, choose All users for “OTP required for” and At every login for “OTP required at”.
Click on Save
Step 4: Create onelogin mapping to map security policy with MFA factor to a group
The security policy can be assigned at the user level or a group level. Group level assignment is recommended.
Login to Onelogin admin console as administrator.
Navigate to Users > Groups.
Click on New Group
Enter a name for the group, for example bi-second-factor. Under Security policy drop down choose bi-second-factor. Click Save
Members of the “bi-second-factor” group when logging in will be challenged for username/password as the first factor and BI Trusted IdP as the second factor.
Setting up test users
User Enrollment
To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Role.
Click on Users
Select a user
Click on Applications
Click on Beyond Identity role to select it.
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
See image below for reference:
Each enrolled user will be asked to follow the two steps below:
Step 1: Download the Beyond Identity Authenticator to their device.
When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
Step 2: Register their Credential in the Beyond Identity IdP.
By clicking on Step 2 Register New Credential, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
See example image below:
User Authentication (Signing in)
Each enrolled user can visit their OneLogin instance, or any application supported by your SSO to sign into their corporate applications.
The OneLogin application or SSO-supported application will ask the user to click on the “Beyond Identity” icon (sign in with Beyond Identity).
Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Role.
Click on Users
Select a user
Click on Applications
Click on Beyond Identity role to deselect it.