Integration Guide for OptimalIDM

Introduction

This guide provides information on how to:

Set up Beyond Identity as a trusted IDP for your OptimalIDM environment.
Set up Beyond Identity Admin console as a service provider in Optimall IDM.
Set up SCIM user provisioning of members of a specific group in Optimal IDM.

Prerequisites

Ensure that you have the following:

A OptimalIDM cloud version with Gold plan.
A OptimalIDM account with “Superadmin” privileges.

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

Your Company Name
Your OptimalIDM Instance URL e.g. https://[your-domain].theoptimalcloud.com
Beyond Identity Admin Console Application credentials SSO Client Id SSO Client Secret
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret	This will be updated by the customer directly using the Beyond Identity Admin Console.
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF

Information you will receive from the Beyond Identity Field Team

Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint Userinfo endpoint	https://auth.byndid.com/v2 https://auth.byndid.com/v2/authorize https://auth.byndid.com/v2/token https://auth.byndid.com/v2/userinfo
Client ID	[From Beyond Identity Console]
Client Secret	[From Beyond Identity Console]
SCIM API Bearer Token	[From Beyond Identity SE]
Beyond Identity Org ID	[From Beyond Identity SE]
SCIM API endpoint	https://api.byndid.com/scim/v2/

OptimalIDM Configuration

Step 1: Setup Beyond Identity as a SAML IDP

This requires the following

Setup SAML connection in BI
Setup SAML IDP in OptimalIDM
Setup Authentication Policy in OptimalIDM to use SAML IDP

Step 1.1: Setup SAML connection in BI

Access BI admin console as a superadmin. Navigate to Integrations > SAML. Click ADD SAML Connection

A screenshot of a web page

Description automatically generated with low confidence

In Add SAML Connection screen
1. Type in a Name, for example Beyond Identity IdP
2. Type https://[your_tenant_id].theoptimalcloud.com/v5.0/saml2/ as SP Single Sign On URL
3. Type https://[your_tenant_id].theoptimalcloud.com/v5.0 as SP Audience URI
4. Type Email as Subject User Attribute
5. Choose http post as Request Binding
6. Click Save Changes
7. Copy IDP ID in the next screen. The metadata URL that is used to configure SAML IDP in optimalIDM will be https://auth.byndid.com/saml/v0/IDP_ID/sso/metadata.xml

Step 1.2: Setup SAML IDP in OptimalIDM

In Identity Providers screen, click Create Identity Provider

In New Federated Identity Provider Wizard screen, under Step 1, select Create from Metadata URL and click Next

In New Federated Identity Provider Wizard screen, under Step 2
1. Type in an Identity Provider Name for example “Beyond Identity”
2. Type in an Identity Provider Contact
3. Select SAML2 as the protocol
4. Click Next

In New Federated Identity Provider Wizard screen, under Step 3
1. Type in the Metadata URL from 1.1.b
2. Click Create IdP
3. This completes setup of BI as the SAML IDP
4. Note down the Identifier/URN of the IDP. This will be used in the authentication policy

Step 1.3: Setup Authentication Policy in OptimalIDM to use SAML IDP

Login to your optimalIDM tenant as a tenant admin. Click on Administration tab. Click Authentication Rule Manager

Login to your optimalIDM tenant as a tenant admin. Click on Administration tab.
Click Authentication Rule Manager.
In Authentication Rule Manager screen, click Create Authentication Rule
In Authentication Rule Details screen
1. Select Enabled
2. Type in a Rule Name and description
3. Choose Identity Provider in Redirect Type drop down
4. Type in the IDP URN noted in section 1.2.e
5. Click Add Condition
6. In Add Conditions to Rule screen, select the condition and click Add Condition
7. In the next screen, click Save
  When users who match the condition login to OptimalIDM tenant, they will be routed to BI SAML IDP

Step 2: Setup Beyond Identity Admin Console Application in OptimalIDM

Login to your optimalIDM tenant as a tenant admin. Click on Administration tab and then click on service providers tab
In the New Federated Application Wizard, in step1 , choose Create from Template and click Next

In Step 2 of New Federated Application Wizard, check Add Portal Application. Enter a name for the Application Name and Application Contact. Choose Oauth2 /OpenID Connect and click Next

In Step 3 of New Federated Application Wizard, in search Template, type OIDC Template. From the search results, choose General OIDC Template and click Create App

In service provider details screen, under General tab
1. Check Enabled
2. Choose OAUTH2/OIDC for protocol
3. Enter an Application Name and a Contact Info
4. In URN/Identifier, type in a value for the client ID, for example “beyond-optimalidm-bi-admin-console”. This value will be used in BI admin console setting up BI admin console OIDC SSO
In service provider details screen, under Endpoints tab
1. Enter https://admin.byndid.com/auth/callback as Signin Endpoint URL
2. Leave the other values to default
In service provider details screen, under OAUTH2/OpenIDConnect tab

Click Generate Client Secret
Note down the value of client secret. This is required in setting up BI admin console SSO in BI admin console
Click Save Changes

Step 3: Setup Admin Console Access

Provide Client ID and Client Secret assigned to Admin Console Application in steps 1.e and 1.g to Beyond Identity SE. The Beyond Identity team will collect and populate those values using BI admin console
After these values are provisioned, login and confirm that admin has access to Beyond Identity Admin Console.

Step 4: Setup Beyond Identity User Console Application in OptimalIDM

Repeat similar steps as outlined in Step 2: Setup Beyond Identity Admin Console Application in OptimalIDM
In service provider details screen, under Endpoints tab, enter https://user.byndid.com/auth-user/?org_id=BI_TENANT_ID as Signin Endpoint URL
Note down the client ID and client secret

Step 5: Setup Beyond Identity User Portal Authentication

Once logged into Beyond Identity Admin Console, click on Settings

Click on SSO tab > User Console SSO Integration > Add OIDC SSO
Update Name, Client Id, Client Secret (from 4.c)
Enter issuer as “https://[your_tenant].theoptimalcloud.com/v5.0”
Enter Token Field as sub and select Token Field Lookup as external_id.
Click Save Changes

Step 6: Set up SCIM in OptimalIDM to BI Tenant

The SCIM setup will scim members of a specific group, for example BI_users
The steps required in order are
1. Create a condition of type MEMBER_OF that checks if the user is a member of Bi_users group
2. Create an authorization rule and associate condition created in step a
3. Create a provisioning destination and associate authorization rule created in step b

Step 6.1: Create MEMBER_OF condition

Login to your optimalIDM tenant as a tenant admin. Click on Condition Manager
In the Condition Manager screen, click Create Condition
In the Condition Details screen
1. Type in a name and description for the condition
2. Choose MEMBER_OF_GRP in condition type drop down
3. Choose Equals in condition check drop down
4. Type in Bi_users in Group(s) text
5. Click Save changes

Step 6.2: Create Authorization Rule

Login to your optimalIDM tenant as a tenant admin. Click on Authorization Rule Manager
In Authorization Rule Manager screen, click Create Authorization rule
In Authorization Rule Details screen
1. Type in a Rule name and description
2. Leave other fields with the defaults
3. Click Add Condition
In Add Conditions to Rule – Condition Search screen
1. Select the condition created in 6.1.c
2. Click close
3. In next screen, click Save