Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Okta environment.
- Set up Okta to use Beyond Identity as an Identity Provider.
Requirements
Ensure that you have the following:
-
An Okta account with “Super” or “Organization” admin privileges to:
- Add/edit attributes and their mappings in Directory > Profile Editor.
- Add/edit Identity Providers in Security > Identity Providers.
- Add/edit routing rules in Security > Identity Providers > Routing Rules.
- Add/edit Event Hooks in Workflow > Event Hooks (Optional).
-
“OpenID Connect IdP” and “Routing Rules” are enabled for the account.
- Test that “OpenID Connect IdP” is enabled by verifying that Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP is available. If you do not, then contact Okta to open a support ticket to enable “OpenID Connect IdP”. For a template of the ticket to create with Okta, see Appendix B.
- Ensure the Routing Rules tab is available on the Security >Identity Providers page. If the Routing Rules tab is missing, contact Okta to open a support ticket to enable “Routing Rules” on the Identity Provider page.
Beyond Identity Configuration
Information you will need:
|
Your Okta Instance URL Production e.g. https://[your-domain].okta.com Note: If you use a test instance, the URL will not contain okta.com. |
Follow the steps below to configure Beyond Identity as the IdP in Okta. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Task 1: Create a Custom Attribute within Okta OIE
1. Sign in to the Okta portal as an administrator.
2. From the left-hand navigation panel select Directory > Profile Editor.
3. Under Users, select the User (default) profile.
4. Under Profile Editor, click Add Attribute.
5. In the Add Attribute window, add and select the following attribute settings:
| Field | Select/Add |
| Data Type |
Boolean
|
| Display Name |
Beyond Identity |
| Variable Name |
byndidRegistered
|
| Description |
Beyond Identity Registration Status
|
| User Permission |
Read Only
|
When you are done, click Save.
NOTE: If you have multiple profile masters (applicable for AD mastered users), follow these steps.
-
- Click the edit button for the “byndidRegistered” attribute in the Okta profile.
- For the Source Priority field, select Inherit from Okta drop-down.
- Click Save Attribute.
Task 2: Create an Okta API Key with the correct privileges
To modify the Okta identity custom attribute byndidRegistered, we will need admin API privileges.
6. While logged into Okta as an admin, from the left-hand navigation panel, select Security → API
7. Select Tokens and click Create Token
8. Name your token Beyond Identity then select Any IP. When you are done, click Create token
NOTE: You may be asked to re-authenticate with Okta.
9. Click the copy icon to copy the Token value. Paste the token to a text editor to save it, you will need it for other steps. Then, click OK, got it.
10. Under the Role column, verify that the value is either Super Administrator or Organization Administrator
Task 3: Register the Okta API token with Beyond Identity
11. Log into the Beyond Identity Admin Console
12. Navigate to Integrations then select the Okta tab.
13. Under Okta Registration click the download icon to Install this service
14. The Install Okta Registration dialog window will display.
Complete the dialog window with the following information:
| Field | Value |
| Okta Domain |
A. Copy your Okta domain from clicking on your profile name (top right corner of the page). B. Paste the domain in the Okta Domain field. |
| Okta Token | Paste the token you copied from Step 9. |
| Okta Registration Attribute | byndidRegistered |
| Okta Mapping Attribute | <LEAVE BLANK> |
15. When you are done, click Save Changes.
Task 4: Create an OIDC connection in Beyond Identity
16. From the Beyond Identity Admin Console, navigate to Integrations → OIDCthen click Add OIDC Client
17. Complete the dialog box fields with the following values:
| Field | Value |
| Name | Okta SSO |
| Redirect URIs |
EXAMPLE ONLY DO NOT COPY: |
| Token Signing Algorithm | RS256 |
| Auth Method | client secret post |
| Login Hint Validation Config | Enabled |
| Login Hint Match Strategies | Select all |
18. Click Save Changes
19. Next, copy the Client ID and Client Secret from the Integrations → OIDC section to a text editor. You will need these values for other steps.
Task 5: Create an OIDC Connection in Okta
Now, we'll create the OIDC connection in the Okta console.
20. While logged in as an administrator in Okta, from the left-hand panel, navigate to Security → Identity Providers
21. Click + Add Identity Provider
22. From the list of identity providers, select OpenID Connect IdP. Then, scroll down and click Next
NOTE: In rare cases, OIDC connections may be disabled in Okta tenants. If you don’t see it, reach out to Okta Support to have it enabled.
23. Provide the following values:
| Field | Value |
| Name |
Beyond Identity |
| IdP Usage |
SSO Only |
| Scopes |
openid |
| Client ID | The client ID from Step 19 |
| Authentication Type |
client secret |
| Client Secret | The client secret from Step 19 |
| Issuer |
|
| Authorization endpoint |
|
| Token endpoint |
|
| JWKS endpoint |
|
| Userinfo endpoint |
|
| IdP Username |
|
| Match against |
|
| Account link policy |
|
| Auto-link filters | Leave blank |
| If no match is found |
|
24. Click Finish.
Task 6: Create the Routing Rule within Okta OIE
25. While logged in as an administrator in Okta, from the left-hand navigation panel, select Security → Identity Providers.
26. From the Routing Rules tab, click Add Routing Rule.
27. Fill out the form as follows:
| Name | Beyond Identity |
| IF User's IP is | Anywhere |
| AND User's device platform is | Any device |
| AND User is accessing | Any application |
| AND User matches |
User attribute byndidRegistered <select Equals> <select true>
|
| THEN Use this identity provider | Beyond Identity |
28. Click Create Rule.
29. Then, select Activate.
NOTE: Drag this rule to the top of the rule list to ensure it takes priority.
Task 7: Add a Break-glass Rule for Admin Access (Recommended)
Note: If you choose to complete this task, this rule should be placed BEFORE the "Beyond Identity" rule you created previously.
30. While logged in as an administrator in Okta, from the left-hand navigation panel, select Security → Identity Providers
31. Click Add Routing Rule.
32. Fill out the rule as follows:
| Name | Breakglass Admin Access |
| IF User's IP is | Anywhere |
| AND User's device platform is | Any device |
| AND User is accessing | Any application |
| AND User matches |
Select a specific user attribute that uniquely identifies your breakglass account(s), such as:
|
| THEN Use this identity provider | Okta (Not Beyond Identity) |
33. Click Create Rule.
34. Drag this rule to the top of the rule list to ensure it takes priority.
Task 8: Configure Authentication Policies in Okta
35. While logged in as an administrator in Okta, from the left-hand navigation panel, select Security → Authentication Policies
36. Select the Default authentication policy, usually Any two factors
37. Under the Rules tab, click Add Rule
38. Fill out the form as follows (leave unmentioned fields as default values):
| Rule name | Beyond Identity |
| IF User's user type is | Any user type |
| AND User's group membership includes | Any group |
| AND User is | Any user |
| AND Device platform is | Any platform |
| AND User's IP is | Any IP |
| AND Risk is | Any |
| AND The following custom expression is true |
|
| THEN Access is | Allowed after successful authentication |
| AND User must authenticate with |
|
| AND Possession factor constraints are | Require user interaction |
| AND Authentication methods | Disallow specific authentication methods |
| AND Prompt for authentication |
When it's been over a specific length of time since user signed in to any resource protected by the active Okta global session 1 Hours |
39. Click Save
NOTE: You will potentially receive a warning from Okta (refer to image below) claiming the following rule you will configure is weak because they cannot track the factors when integrating with other IdPs - You can safely ignore this warning and click Save Anyway
Task 9: Manually set Beyond Identity User Attribute
40. While logged in as an administrator in Okta, from the left-hand navigation panel, select
Directory → People
41. Select the user you want to validate the Beyond Identity login with.
42. Select Profile and click Edit
43. Scroll to the bottom of the Attributes section, and set Beyond Identity, byndidRegistered to true and click Save.
Task 10: Log in to an application that uses Okta SSO
44. While on Okta, click on your name at the top right corner of the page, then click My end user dashboard.
45. If the routing rule is active, you’ll see a single field asking for your username. Enter it and click Next to continue.
46. If your authentication policy is set up correctly and the rule is in the right order, you’ll be routed through the Beyond Identity login flow. Once authenticated, you’ll be redirected to your application as expected.
Congratulations! You have finished configuring Okta.
Comments
0 comments
Please sign in to leave a comment.