Introduction
This section provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Okta environment.
- Set up Okta to use Beyond Identity as an Identity Provider.
Before you begin
This section enumerates some items you should be aware of before configuring Okta as an SSO provider with Beyond Identity.
- As soon as you configure routing rules in Okta (with or without Beyond Identity as IdP) user login experience will change. Users will be asked for a login ID/Username first and then based on routing rules, users will be prompted for a Password or go through additional IdP options like Beyond Identity.
- Okta recommends this as the best practice to avoid password spraying attacks. It is possible that your tenant is already set up to ask for Username first and then ask for Password today and your users are experienced with this behavior. If your tenant is not set up, then please inform your users of change in login experience before proceeding.
Prerequisites
Ensure that you have the following:
-
An Okta account with “Super” or “Organization” admin privileges to:
- Add/edit attributes and their mappings in Directory > Profile Editor.
- Add/edit Identity Providers in Security > Identity Providers.
- Add/edit routing rules in Security > Identity Providers -> Routing Rules.
- Add/edit Event Hooks in Workflow > Event Hooks (Optional).
-
“OpenID Connect IdP” enabled for the account
- Contact Okta to open a support ticket to enable “OpenID Connect IdP”. For a template of the ticket to create with Okta, see Appendix B.
- Ensure the “Routing Rules” tab is available on the Security->Identity Providers page. If the “Routing Rules” tab is missing, contact Okta to open a support ticket to enable “Routing Rules” on the Identity Provider page.
Beyond Identity Configuration
Information you will need:
Your Company Name | |
Your Okta Instance URL e.g. https://[your-domain].okta.com |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint JWKS endpoint |
https://auth.byndid.com/v2/authorize |
SCIM / Event Hook API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
Event Hook API endpoint | https://api.byndid.com/okta_events |
SCIM API endpoint |
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com.
okta Configuration
To configure Beyond Identity as the IdP in Okta, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Step 1: Create Custom Attribute for Beyond Identity
The image below is an example of an administrator view in Okta and illustrates the actions listed below to navigate to the Profile Editor:
- Sign into the Okta portal as an administrator.
- Once signed in, select “Classic UI” from the drop-down menu on the left side of the top-most bar.
- In the main Okta menu, select “Directory”.
- In the “Directory” drop-down menu, select “Profile Editor”.
- Find your “Okta” profile and select the “Edit Profile” action denoted.
- Under the user profile editor, you will see an action to “Add Attribute”
- Click on “Add Attribute”.
-
Select fields as shown in the following image:
- Data Type: Boolean
- Display Name: Beyond Identity Registration Status
- Variable Name: byndidRegistered
- Description: Beyond Identity Registration Status
-
Click Save. See image below for reference:
-
If you have multiple profile masters (applicable for AD mastered users), then perform the following steps.
- Click on edit button for “byndidRegistered” attribute in Okta profile.
- For the “Master Priority” field select “Inherit from Okta” from the pull-down menu.
- Click on Save Attribute. Please, see image below for reference:
Step 2: Add Beyond Identity User Group
- Click on Directory-> Groups
- Click on “Add Group”
-
Select fields as shown in the following image:
- Name: “Beyond Identity”
- Description: “Beyond Identity Users Group”
- Click “Add Group”.
Step 3: Setup Beyond Identity User Portal Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity User”
- Select App with title “Beyond Identity User Portal”.
- Click Add.
-
Now you will see a pop up with the following information.
- General Settings
- Application Label: “Beyond Identity User Portal”
- Click Done.
- In the Assignment Tab, click on “Assign” and from the drop down the select “Assign to Groups”. Click on the “Assign” button for the “Beyond Identity” group.
-
In the “Sign On” tab update the following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and use it in the next step.
-
In the “Provisioning” tab update the following fields.
- Click on “Configure API Integration”.
- Then click on “Enable API Integration”.
- In the API token field paste the API token provided by the Beyond Identity team.
- Select “Import Groups” if it is not enabled by default.(This is only available in Okta Production instances and not in Developer or Preview instances.)
- Then click on “Test API Credentials”.
- After seeing the message “Beyond Identity User Portal was verified Successfully”. Save the configuration.
-
After setting up SCIM in the above step, make the following changes in the “Provisioning” Tab.
- In the “Provisioning to App” section, click on Edit.
- For the “Create Users”, “Update User Attributes” and “Deactivate Users” click on Enable.
- Save the changes by clicking on “Save”.
-
Make following changes in the “Provisioning” Tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.
- In the “Integration” section, click on Edit.
- Select “Import Groups” if it is not enabled by default.
- Save the changes by clicking on “Save”.
-
To sync groups with Beyond Identity:
- Click on the Push Groups tab.
- Click the Push Groups drop-down menu.
-
To define which groups are synced with Beyond Identity:
- Select Find groups by name: Searches for specific groups to push.
- Select Find groups by name: Searches for specific groups to push.
Step 4: Setup User Portal Access in Beyond Identity
- Once logged into Beyond Identity Admin UI, click on Settings -> Console Login-> User Console SSO Integrations and click on Add OIDC SSO.
-
Please configure the following fields for User Console SSO Integrations.
- Name: Okta OIDC SSO
- Client ID: <Use the value recorded in the previous step>
- Client Secret: Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember to not have a trailing slash after issuer URL)
- Token Field: sub
- Token Field Lookup: external id
- Scopes: Select all [Alternately select Profile , email] - Optional
- Click on Save Changes.
Step 5: Setup Beyond Identity Admin Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity Admin”
- Select App with title “Beyond Identity Admin Portal”.
-
Click Add.
-
In the “General Settings” update following fields
- Application Label: “Beyond Identity Admin Portal”
- Click Done.
- In the Assignment Tab Assign “Admins” to this Application.
-
In the “Sign On” tab update the following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” fields. You will be using them in follow up steps.
Step 6: Setup Admin Portal Access in Beyond Identity
- Login to Beyond Identity Admin Console and click on Settings.
- Once logged into Beyond Identity Admin UI, click on Settings -> Console Login-> Admin Console SSO Integrations and click on Add OIDC SSO.
- Please configure the following fields for Admin Console SSO Integrations.
- Name: Admin Console SSO - Okta
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember to not have a trailing slash after issuer URL)
- Token Field: sub
- Token Field Lookup: external id
- Scopes: Select all [Alternately select Profile , email] - Optional
- An user should also be assigned an Admin role for the admin to be able to access the Beyond Identity Admin console
- To assign an role to a user, Navigate to Settings -> Console Access Control -> Click on a predefined admin role (In this case we are selecting “Super Administrators”)
- Once the role has been selected, Click on “Assign Access role to users” and type in the name of the user that requires admin access.
- Select Assign users to role to promote the user to Admin
- Alternatively you could assign user groups to Admin roles.
- To assign a role to a user group, Navigate to Settings -> Console Access Control -> Click on one of the predefined admin role
- Once the role has been selected, Click on the “Groups” tab
- Click on “Assign Access role to Groups” and type in the name of the Group or select the Group from the dropdown that requires admin access.
- Once selected, Click on “Assign groups to role” to save the changes.
- After these values are provisioned, the customer should login and confirm that admin has access to Beyond Identity Console through Okta SSO.
Step 7: Setup IDP in Beyond Identity:
- Once logged into Beyond Identity Admin UI, click on the “Integrations” tab and then click on OIDC Clients.
-
Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
- Name: Okta SSO
- Redirect URIs: https://<okta-tenant-name>.okta.com/oauth2/v1/authorize/callback (Also add any additional URIs separate by common if customer has custom login page)
- Token Signing Algorithm: RS256
- Auth Method: Client_secret_post
- Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
- On “Integrations” tab and click on “API Extensions” and then click on Install for “Okta Registration Attribute”.
- Fill information for Okta Domain, Okta API Token for your tenant. Also, update “Okta Registration Attribute” with default value of “byndidRegistered” or the value chosen by your organization in Step 1. Click on “Save Changes”.
Step 8: Configure Beyond Identity as the IdP in OKTA
The image below is an example of an administrator view in Okta and illustrates the actions listed below to navigate to the Identity Providers section:
- In the main Okta menu, select “Security”.
- In the “Security” drop-down, select “Identity Providers”.
- In the “Identity Providers” tab, click “Add Identity Provider”.
-
Select “Add OpenID Connect IdP”.
- Note: This option will not be available in Okta until the ticket mentioned in the Introduction, Prerequisites section is resolved.
- Select fields as seen in reference images below:
- Name: Beyond Identity
- Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Scopes: openid (Remove any additional scopes.)
- Issuer: https://auth.byndid.com/v2
- Authorization endpoint: https://auth.byndid.com/v2/authorize
- Token endpoint: https://auth.byndid.com/v2/token
- JWKS endpoint: https://auth.byndid.com/v2/.well-known/jwks.json
-
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com. - Click on “Show Advanced Settings”.
- Set IdP Username field as “idpuser.externalId”.
- Set Match Against field as “Okta Username”.
- Leave Account Link Policy and Auto-Link restrictions with default options.
- Set “If no match is found” field to “Redirect to Okta Sign-in Page”.
-
See images below for reference:
Step 9: Set up Event Hooks in Okta (Optional)
The Event Hooks configuration is only required if you do not have SCIM capability enabled for your Okta tenant due to licensing restrictions.
- In Okta Admin Portal, Click on Workflow ->Event Hooks
- Select “Create Event Hook”
- Update fields as seen in reference images below:
- Name: Beyond Identity Provisioning flow
- URL: https://api.byndid.com/okta_events
-
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com. - Authentication field: Authorization
- Authentication Secret: Enter “Bearer ” and then cut and paste Bearer token provided by the Beyond Identity team (Token must be prefixed with “Bearer ”)
- Subscribe to events: “User Added to Group”, “User Removed from Group”, “User suspended” and “User unsuspended”.
- Click “Save & Continue”.
- You will see a new form titled “Verify Endpoint Ownership”. Click on “Verify”.
Step 10: Set up Event Hooks in Beyond Identity (Optional)
The Event Hooks configuration is only required if you do not have SCIM capability enabled for your Okta tenant due to licensing restrictions. Following changes are required in Beyond Identity Admin UI to enable Okta Event Hooks.
- Click on Integrations -> API Extensions
- Fill information for Okta Domain, Okta API Token for your tenant. Also, update “Okta Group Name” with the default value of “Beyond Identity” or the value chosen by your organization in Step 2. Click on “Save Changes” as shown in the following Fig.
Step 11: Set up Routing Rules
- Click on Security->Identity Providers
- Select “Routing Rules”
- Click on “Add Routing Rule” and set the following parameters.
- Rule Name: Beyond Identity Auth
- Default value for User IPs, Device Platform, Applications
-
Set User Matches to “User Attribute” and “byndidRegistered Equals true”
- Note: These values are case sensitive. Ex. “True” will not work but “true” will.
- Set “Then Use the Identity Provider” as “Beyond Identity”.
-
Click “Save and Activate Rule”.
- This Rule will be set as a first rule.
-
See images below for reference:
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select the “Beyond Identity” group.
- Click on “Manage People”.
- Click on the “+” sign next to the user's name in the column titled “Not Members”.
-
Click Save.
-
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their Okta instance or any application supported by your SSO to sign into their corporate applications.
- The Okta application or SSO-supported application will ask the user to enter their username.
- Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
-
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove the user from the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select the “Beyond Identity” group.
- Click on “Manage People”.
- Click on the “-” sign next to the user's name in the column titled “Members”.
- Click Save.
Appendices
Appendix A: Creating a token in Okta
The image below is an example of an administrator view in Okta and illustrates the actions listed below:
- Sign into the Okta portal as an administrator.
- Once signed in, select “Classic UI” from the drop-down menu on the left side of the top-most bar.
- In the main menu bar for Okta, select “Security”.
- In the “Security” drop-down menu, select “API”.
- In the “API” section, select the “Tokens” tab.
- Click “Create Token”.
- In the “Create Token” form, provide your name for the token (e.g. Beyond Identity).
Appendix B: Opening a ticket to enable OpenID Connect IDP connections in Okta
The image below is an example of how to open a case with Okta requesting them to enable OpenID IDP Connections in Okta Sandbox and Production environments.
- Navigate to Okta’s Open Case Center at https://support.okta.com/help/s/opencase.
-
Create a case with the following information:
- Request Type: Okta org request
- Subject: Enable OIDC Provider Type
-
Detailed Description: (see example description below)
-
Please enable the "ODIC IdP" type on my Okta organization.
My Organization Id is: <ORG_ID>
This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
-
Please enable the "ODIC IdP" type on my Okta organization.
-
Steps to reproduce: (see example below)
-
This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
-
This would normally show up under:
- Scope: Whole organization affected
-
Business impact: (see example below)
- Unable to enable integration
- Priority: P3 - Non critical issue
- Okta org: Select from the list the organizations where Beyond Identity will be integrated.
- Case email: Your own email
- Phone number: Your phone number
- Add contact to team: <Can be left empty>
- Add attachment: <Not required>
Appendix C: Opening a ticket to enable Attribute Level Sourcing Feature in Okta
The image below is an example of how to open a case with Okta requesting them to enable “Attribute Level Sourcing/Mastering” and “Profile Mastering and Push” features in Okta Sandbox and Production environments. This feature needs to be enabled if Okta is integrated with AD.
- Navigate to Okta’s Open Case Center at https://support.okta.com/help/s/opencase.
- Create a case with the following information:
a. Request Type: Okta org request
b. Priority: P3 – Non-critical issue
c. Select the Okta org: Select from the list the organizations where Beyond Identity will be integrated.
d. Subject: Enable "Attribute Level Mastering” & “Allow both profile mastering and push" features
e. Detailed Description: (see example description below)
- Please enable the following features for my org.
- Attribute Level Mastering
- Allow both profile mastering and push
f. Scope: Whole organization affected
g. Case email: Your own email
h. Phone number: Your phone number
i. Add contact to team: <Can be left empty>
j. Add attachment: <Not required>
k. Click on “Open Case”.
Comments
0 comments
Please sign in to leave a comment.