Introduction
This guide provides information on how to:
- Set up Beyond Identity to provision the users from OKTA SSO.
- Set up MIST Cloud for direct integration with Beyond Identity SSO/IdP as the first factor. (L3 Authentication)
- Set up MIST Cloud for direct integration with Beyond Identity SSO/IdP as the second factor. (L2 Authentication with dot1x + L3 passwordless authentication with Beyond Identity)
Prerequisites
Ensure that you have the following:
- An Okta account with “Super” or “Organization” admin privileges to:
- MIST Cloud super user or Network admin account.
okta Configuration for provisioning users in beyond identity
Step 1: Add Beyond Identity User Group
- Click on Directory-> Group
- Click on “Add Group”
-
Select fields as shown in the following image:
- Name: “Beyond Identity”
- Description: “Beyond Identity Users Group”
- Click “Add Group”.
Step 2: Setup Beyond Identity Admin Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity Admin”
- Select App with title “Beyond Identity Admin Portal”.
- Click Add.
-
In the “General Settings” update following fields
- Application Label: “Beyond Identity Admin Portal”
- Click Done.
- In the Assignment Tab Assign “Admins” to this Application.
-
In the “Sign On” tab update following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and provide it to Beyond Identity team.
Step 3: Setup Admin Portal Access
- Provide “Client ID” and “Client Secret” assigned to Admin UI Application in Okta to Beyond Identity SE. Beyond Identity team will collect and configure this value.
-
Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.
- Name: Okta OIDC Integration
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL)
- Token Field: sub
- Token Field Lookup: external_id
- After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console.
Step 4: Setup Beyond Identity User Portal Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity User”
- Select App with title “Beyond Identity User Portal”.
- Click Add.
-
Now you will see a pop up with following information.
- General Settings
- Application Label: “Beyond Identity User Portal”
- Click Done.
- In the Assignment Tab, click on “Assign” and from the drop down the select “Assign to Groups”. Click on “Assign” button for the “Beyond Identity” group.
-
In the “Sign On” tab update following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and use it in the next step.
-
In the “Provisioning” tab update the following fields.
- Click on “Configure API Integration”.
- Then click on “Enable API Integration”.
- In the API token field paste the API token provided by Beyond Identity team. Then click on “Test API Credentials”.
- After seeing message “Beyond Identity User Portal was verified Successfully”. Save the configuration.
-
After setting up SCIM in the above step, make following changes in the “Provisioning” Tab.
- In the “Provisioning to App” section, click on Edit.
- For the “Create Users”, “Update User Attributes” and “Deactivate Users” click on Enable.
- Save the changes by clicking on “Save”.
-
Make following changes in the “Provisioning” Tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.
- In the “Integration” section, click on Edit.
- Select “Import Groups” if it is not enabled by default.
- Save the changes by clicking on “Save”.
MIST Configuration for Direct integration with BI sso/idp
Step 1: SAML configuration on BI Admin Console:
- Login to BI Admin console
- Click on Integrations🡪SAML🡪Add SAML Connection
- Name: <SSID name> (Comes from customer)
- SP Single Sign On URL: www.test.com
- SP Audience URI: www.test.com
- Name ID format: emailAddress
- Subject User Attribute: UserName
- Signed Response: SIGNED
- Save changes.
- Note down the IdP Single Sign-On URL and IdP Issuer URL.
- Download the IdP Signature Certificate and save it to your local machine.
STEP 2: Configuring WLAN on the MIST Dashboard
- Login to https://manage.mist.com using network admin privileges.
- Go to Network🡪WLAN🡪 Add WLAN
- Put the network name provided by the customer in the SSID. Ex: Beyond Identity.
- In the Security section select “Open access”
-
In the Guest Portal select SSO with Identity Provider (Sample Configuration below)
- In the issuer field paste the IdP Issuer copied from STEP 1.
(https://auth.byndid.com/saml/v0/<IdPid>/sso/metadata.xml)
- Name ID Format: Email
- Signing Algorithm: SHA256
- Certificate: Paste the contents of the Certificate downloaded in STEP 1.
- SSO URL: Paste the IdP SSO URL from STEP 1.
( https://auth.byndid.com/saml/v0/b36a4852-925b-45fa-be11-a813b3e4e00c/sso)
- Devices remain authorized for (Network Admin defined)
- Check After authorization redirect to URL: Enter the URL defined by the customer e.g. https://www.beyondidentity.com
- Allowed hostnames: .byndid.com (begins with dot)
- Leave Portal SSO URL empty. (This is filled up after WLAN is created)
- Uncheck Bypass guest/external portal in case of exception checkbox.
- Click Create.
- Once the WLAN is created Mist cloud generates a portal SSO URL entry. Click on the newly created WLAN and copy the Portal SSO URL from the Guest Portal section. (e.g. https://portal.mist.com/saml/4848442e-136d-4333-bb69-2e20fb1e6826/login)
STEP 3: Update the BI SAML configuration
- Login to BI Admin console
- Click on Integrations🡪SAML🡪<SAML Integration created in STEP 1>
- Click on Edit.
- Update SP Single Sign On URL with new Portal SSO URL from step 6 above.
- Update SP Audience URI with the same Portal SSO URL from step 6 above.
- Click on Save.
MIST Configuration for setting bi sso/idp as a second factor
(1st factor dot1x) (L2 + L3 Authentication)
Step 1: SAML configuration on BI Admin Console:
- Login to BI Admin console
- Click on Integrations🡪SAML🡪Add SAML Connection
- Name: <SSID name> (Comes from customer)
- SP Single Sign On URL: www.test.com
- SP Audience URI: www.test.com
- Name ID format: emailAddress
- Subject User Attribute: UserName
- Signed Response: SIGNED
- Save changes.
- Note down the IdP Single Sign-On URL and IdP Issuer URL.
- Download the IdP Signature Certificate and save it to your local machine.
STEP 2: Configuring WLAN on the MIST Dashboard
- Login to https://manage.mist.com using network admin privileges.
- Go to Network🡪WLAN🡪 Add WLAN
- Put the network name provided by the customer in the SSID. Ex: Beyond Identity.
- In the Security section select “WPA-2/EAP (802.1x)”
-
Go to RADIUS Authentication Servers and Add server
- Add the RADIUS Server IP/hostname
- Make sure the shared secret is the same as the one configured on the RADIUS server side.
-
In the Guest Portal select SSO with Identity Provider (Sample Configuration below)
- In the issuer field paste the IdP Issuer copied from STEP 1.
(https://auth.byndid.com/saml/v0/<IdPid>/sso/metadata.xml)
- Name ID Format: Email
- Signing Algorithm: SHA256
- Certificate: Paste the contents of the Certificate downloaded in STEP 1.
- SSO URL: Paste the IdP SSO URL from STEP 1.
- Devices remain authorized for (Network Admin defined)
- Check After authorization redirect to URL: Enter the URL defined by the customer e.g. https://www.beyondidentity.com
- Allowed hostnames: .byndid.com (begins with dot)
- Leave Portal SSO URL empty. (This is filled up after WLAN is created)
- Uncheck Bypass guest/external portal in case of exception checkbox.
- Click Create.
- Once the WLAN is created Mist cloud generates a portal SSO URL entry. Click on the newly created WLAN and copy the Portal SSO URL from the Guest Portal section. (e.g. https://portal.mist.com/saml/4848442e-136d-4333-bb69-2e20fb1e6826/login)
STEP 3: Update the BI SAML configuration
- Login to BI Admin console
- Click on Integrations🡪SAML🡪<SAML Integration created in STEP 1>
- Click on Edit.
- Update SP Single Sign On URL with new Portal SSO URL from step 6 above.
- Update SP Audience URI with the same Portal SSO URL from step 6 above.
- Click on Save.
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign user to the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select “Beyond Identity” group.
- Click on “Manage People”.
- Click on “+” sign next to user’s name in column titled “Not Members”.
- Click Save.
-
Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their Beyond Identity Admin Portal at https://admin.byndid.com
- The Okta application or SSO-supported application will ask the user to enter their username/password
- Click on the WiFi SSID and experience the Beyond Identity Passwordless secure logins.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select “Beyond Identity” group.
- Click on “Manage People”.
- Click on “-” sign next to user’s name in column titled “Members”.
- Click Save.
Comments
0 comments
Please sign in to leave a comment.