Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Okta environment.
- Set up Okta to use Beyond Identity as an Identity Provider.
Contents
- Requirements
-
Step 1: Configure the integration in Okta
- Add an Attribute to the Okta Profile
- Add the Beyond Identity User Group
- Set up the Beyond Identity User Portal Application in Okta
- Set up the User Portal Access in Beyond Identity
- Set up the Beyond Identity Admin Application in Okta
- Set up Admin Portal Access in Beyond Identity
- Set up Federated SSO for User Authentication
- Step 2: Configure Beyond Identity as the Identity Provider (IdP)
-
Step 3: Set up Test Users in Okta
- Deprovision Users
- Appendixes
Requirements
Ensure that you have the following:
-
An Okta account with “Super” or “Organization” admin privileges to:
- Add/edit attributes and their mappings in Directory > Profile Editor.
- Add/edit Identity Providers in Security > Identity Providers.
- Add/edit routing rules in Security > Identity Providers > Routing Rules.
- Add/edit Event Hooks in Workflow > Event Hooks (Optional).
-
“OpenID Connect IdP” and “Routing Rules” are enabled for the account.
- Test that “OpenID Connect IdP” is enabled by verifying that Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP is available. If you do not, then contact Okta to open a support ticket to enable “OpenID Connect IdP”. For a template of the ticket to create with Okta, see Appendix B.
- Ensure the Routing Rules tab is available on the Security >Identity Providers page. If the Routing Rules tab is missing, contact Okta to open a support ticket to enable “Routing Rules” on the Identity Provider page.
Beyond Identity Configuration
Information you will need:
|
Your Okta Instance URL Production e.g. https://[your-domain].okta.com Note: If you use a test instance, the URL will not contain okta.com. |
Information you will receive from the Beyond Identity Field Team:
|
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint JWKS endpoint UserInfo endpoint |
https://auth.byndid.com/v2/authorize https://auth.byndid.com/v2/token https://auth.byndid.com/v2/.well-known/jwks.json |
| SCIM / Event Hook API Bearer Token | [From Beyond Identity SE] |
| Beyond Identity Tenant ID | [From Beyond Identity SE] |
| Event Hook API endpoint | https://api.byndid.com/okta_events |
| SCIM API endpoint for U.S. | |
| SCIM API endpoint for E.U. |
Step 1: Configure the integration in Okta
Follow the steps below to configure Beyond Identity as the IdP in Okta. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Add an Attribute to the Okta Profile
- Sign into the Okta portal as an administrator.
-
In the main Okta menu, select Directory > Profile Editor.
- Find your “Okta User (default)” or appropriate profile and click on the link.
-
Under the user profile editor, click Add Attribute as shown below:
-
Set the following options and click Save.
Option Specify the following Data Type Boolean
Display Name Beyond Identity Registration Status
Variable Name byndidRegistered Description Beyond Identity Registration Status User Permission Read Only -
If you have multiple profile masters (applicable for AD mastered users), perform the following steps.
- Click the edit button for the “byndidRegistered” attribute in the Okta profile.
- For the Source Priority field, select Inherit from Okta drop-down.
- Click Save Attribute.
Add a Beyond Identity User Group in Okta
- Navigate to Directory > Groups.
- Click Add Group.
-
In the Add Group dialog, enter the following information:
- Name: Beyond Identity
-
Description: Beyond Identity Users Group
- Click Save.
Setup the Beyond Identity User Portal Application in Okta
- In the Okta portal, navigate to Applications > Applications > Browse App Catalog.
- In the Search window, type “Beyond Identity User”.
- Select the Beyond Identity User Portal app.
- Click Add.
-
Under General Settings, update the following:
- In the Application Label, type “Beyond Identity User Portal”.
- Click Done.
- In the Assignment tab, click Assign and select Assign to Groups from the drop-down.
- Click Assign for the “Beyond Identity” group.
-
In the Sign On tab, update the following fields.
- Click Edit for settings.
- Update the Org ID field with Organization Id provided by Beyond Identity team.
- Note the SSO “Client ID” and “Client Secret” values. You will use these in the next section.
- Click Save.
-
In the Provisioning tab, update the following fields.
- Click Configure API Integration.
- Click Enable API Integration.
- In the API token field, paste the API token provided by the Beyond Identity team.
- Select Import Groups if it is not enabled by default. (This is only available in Okta Production instances and not in Developer or Preview instances.)
- Click Test API Credentials.
- After seeing the message, “Beyond Identity User Portal was verified Successfully”, save the configuration.
-
After setting up SCIM in the above step, make the following changes in the Provisioning tab.
- In the Provisioning to App section, click Edit.
-
Click Enable beside
- Create Users
- Update User Attributes
- Deactivate Users
- Click Save.
-
Make the following changes in the Provisioning tab.
Note: This step only applies to Okta Production instances, not Developer or Preview instances.-
- In the Integration section, click Edit.
- Select Import Groups if it is not enabled by default.
- Click Save.
-
-
To sync groups with Beyond Identity:
- Select the Push Groups tab.
-
Click the Push Groups drop-down and select Find groups by name. This define which groups are synced with Beyond Identity.
Setup the User Portal Access in Beyond Identity
- Log into the Beyond Identity Admin console.
- Navigate to Settings > Console Login > User Console SSO Integrations and click Add Active SSO.
- Select the drop-down beside Active SSO and choose whether to use OIDC or SAML for the SSO.
- Click Save Changes.
-
Configure the fields for the SSO type for User Console SSO Integrations and then click Save Changes.
-
OIDC Connection
OIDC Option Specify the following Name Okta OIDC SSO Client ID <Use the value copied in the previous section>
Client Secret <Use the value copied in the previous section> Issuer https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember not to have a trailing slash after issuer URL)
Token Field sub Token Field Lookup external id Scopes Select all [Alternately select Profile , email] - Optional
-
SAML Connection
SAML Option Specify the following Name Okta SAML SSO IDP URL <SAML SSO service URL> IDP Entity ID <SAML request URL> Name ID Format unspecified (unless the IDP requires a different value) Subject User Attribute Option varies based on the Beyond Identity attribute Request Binding Binding for the outgoing AuthnRequest X509 Signing Certificate Upload the public key certificate of the IDP used to verify SAML assertions
-
OIDC Connection
Setup the Beyond Identity Admin Application in Okta
- In the Okta portal, navigate to Applications > Applications > Browse App Catalog.
- In the Search window, type Beyond Identity Admin.
- Click the Beyond Identity Admin Portal app.
- Click Add.
-
Under General Settings, update the following:
- In the Application Label, type "Beyond Identity Admin Portal”.
- Click Done.
- In the Assignment tab, assign Admins to this Application.
-
In the Sign On tab, update the following.
- Click Edit for settings.
- Update the Org ID field with the Organization ID provided by Beyond Identity.
- Note the SSO Client ID and Client Secret fields. You will use them in the following section.
Setup Admin Portal Access in Beyond Identity
- In the Beyond Identity Admin console, navigate to Settings > Console Login > Admin Console SSO Integrations.
- Click Add Active SSO.
- Select the drop-down beside Active SSO and choose whether to use OIDC or SAML for the SSO.
- Click Save Changes.
-
Configure the fields for the SSO type for Admin console SSO Integrations and then click Save Changes.
-
OIDC Connection
OIDC Option Specify the following Name Admin Console SSO - Okta Client ID <Use the value copied in the previous section>
Client Secret <Use the value copied in the previous section> Issuer https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember not to have a trailing slash after issuer URL)
Token Field sub Token Field Lookup external id Scopes Select all [Alternately select Profile , email] - Optional
-
SAML Connection
SAML Option Specify the following Name Admin Console SSO - SAML IDP URL <SAML SSO service URL> IDP Entity ID <SAML request URL> Name ID Format unspecified (unless the IDP requires a different value) Subject User Attribute Option varies based on the Beyond Identity attribute Request Binding Binding for the outgoing AuthnRequest X509 Signing Certificate Upload the public key certificate of the IDP used to verify SAML assertions
-
OIDC Connection
-
Assign a user to an Admin role so they can access the Beyond Identity Admin console.
- Select the Console Access Control tab.
- Click on the predefined Super Administrators role.
- Click Assign Access role to users and select a user from the drop-down.
-
Click Assign users to role.
Note: You could also assign user groups to Admin roles. To do so, select the Groups tab for the predeefined admin role, click Assign access role to groups, select a group, and then click Assign groups to role.
- After these values are provisioned, the user or a group member assigned to the Super Administrator role should log in and confirm that they have access to the Beyond Identity Admin console through the Okta SSO.
Set up a Federated SSO for User Authentication
- In the Beyond Identity Admin console, navigate to Integrations > OIDC.
-
Click Add OIDC Client and update the following fields.
Option Specify the following Name Okta SSO Redirect URIs https://<okta-tenant-name>.okta.com/oauth2/v1/authorize/callback
Token Signing Algorithm RS256 Auth Method client secret post Login Hint Validation Config Select whether to enable login hints. If enabled, select the login hint matching strategy.
- Click Save Changes.
- On the OIDC Clients list, copy the Client ID and Client Secret values. You will use these values in the next section.
- Navigate to the Okta tab and then click the Install icon for Okta Registration.
-
In the Edit Okta Registration dialog, complete the fields:
- Enter the Okta Domain URL and the Okta API Token for your tenant.
- In the Okta Registration Attribute field, enter “byndidRegistered” or the value chosen by your organization.
- Click Save Changes.
Step 2: Configure Beyond Identity as the Identity Provider (IdP)
- In the main Okta menu, select Security.
- In the Security drop-down, select Identity Providers.
- Select the Identity Providers tab, and click Add Identity Provider.
- In the next screen, select the OpenID Connect Identity Provider tile and click Next.
- Complete the following:
Option Specify the following Name Beyond Identity IdP Usage SSO only Client id Paste the Client id copied from the Beyond Identity Admin console from the previous section. Client Secret Paste the Client Secret copied from the Beyond Identity Admin console from the previous section. Scopes openid (Remove any additional scopes.)
Issuer Authorization endpoint Token endpoint JWKS endpoint Userinfo endpoint https://auth.byndid.com/v2/userinfo
Note: The endpoints are different for the US vs. EU. For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com.
IdP Username idpuser.externalId
Match Against field Okta Username
Account Link Policy Automatic Auto-Link Restrictions None If no match is found Redirect to Okta Sign-in Page
Configure the OIDC client for Step-Up authentication (Required only for Step-up Authentication)
- Repeat all of the steps from the previous section (Step 2: Configure Beyond Identity as the Identity Provider (IdP)) to create an OIDC provider for Step-Up authentication WITH THE EXCEPTION of specifying a different name and setting IdP Usage: Factor only.
Set up Routing Rules
-
Navigate to Security > Identity Providers > Routing Rules tab.
-
Click Add Routing Rule and set the following parameters.
- Rule Name: Beyond Identity Auth
- Default value for User IPs, Device Platform, Applications
-
Set User Matches to “User Attribute” and “byndidRegistered Equals true”
Note: These values are case-sensitive. Ex. “True” will not work but “true” will. -
Set “Then Use the Identity Provider” as “Beyond Identity”.
-
Click Save and Activate Rule. This rule will be set as the first rule.
- Ensure your newly created Routing Rule has the highest precedence.
Step 3: Set up Authentication Policies in Okta
- Navigate to Security > Authentication Policies and click Add a Policy.
- Name the new Policy "Beyond Identity"
Once the Policy is created, click Add Rule and configure the following values:
a. Rule Name: Beyond Identity
b.User's group membership includes: Add the Beyond Identity Group in the drop-down.
c. User must authenticate with: Password/IdP
d. Click save
Step 4: Set up Global Session Policies in Okta*
*This step is optional based on the current Global Session Policy configuration. The purpose of this policy is to not require any Okta step-up authentication methods, as the Beyond Identity policy configuration will enforce this. Your Beyond Identity team can help you determine if this step is required or can be skipped.
1. Navigate to Security > Global Session Policy:
2, Click Add Policy. Name the new policy "Beyond Identity" and set the Group to "Beyond Identity". Click Create Policy and Add rule.
3. Name the rule: Beyond Identity
Set the Identity provider is: "Beyond Identity" and click Create Rule
Step 5: Set up test users in Okta
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Group.
- In Okta, navigate to Directory > Groups.
- Select the Beyond Identity group.
- Click Manage People.
- Click the plus sign next to the user's name in the column titled “Not Members”.
- Click Save.
-
Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
-
To enroll in Beyond Identity, each user will need to:
- Download the Beyond Identity authenticator to their device if it has not been installed via an MDM.
When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
-
Register the user's credential (passkey) in the Beyond Identity IdP.
When the user clicks Register New Credential, the user’s passkey will be enrolled in the Beyond Identity service on the backend. On the frontend, users will be taken to the Beyond Identity authenticator where they will see the progress of their passkey registration. Once completed, the user will see the passkey in the Authenticator.
- Download the Beyond Identity authenticator to their device if it has not been installed via an MDM.
User Authentication (Signing in)
- Enrolled users can visit their Okta instance or any application supported by your SSO to sign into their corporate applications.
- The Okta application or SSO-supported application will ask the user to enter their username.
- Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
-
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
Deprovision users
To deprovision a user from the Beyond Identity experience, remove the user from the “Beyond Identity” Group.
- In the Okta Portal, navigate to Directory > Groups.
- Select the Beyond Identity group.
- Click Manage People.
- Click the minus sign next to the user's name in the column titled “Members”.
- Click Save.
Appendix A: Creating a token in Okta
The image below is an example of an administrator view in Okta and illustrates the actions listed below:
- Sign into the Okta portal as an administrator.
- Select Classic UI from the drop-down menu on the left side of the top-most bar.
- In the main menu bar for Okta, select Security
- Click API.
- In the API section, select the Tokens tab.
- Click Create Token.
- In the “Create Token” form, provide your name for the token (e.g. Beyond Identity).
Appendix B: Opening a ticket to enable OpenID Connect IDP connections in Okta
The image below is an example of how to open a case with Okta requesting them to enable OpenID IDP Connections in Okta Sandbox and Production environments.
- Navigate to Okta’s Open Case Center at https://support.okta.com/help/s/opencase.
-
Create a case with the following information:
- Request Type: Okta org request
- Subject: Enable OIDC Provider Type
-
Detailed Description: (see example description below)
-
Please enable the "ODIC IdP" type on my Okta organization.
My Organization Id is: <ORG_ID>
This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
-
Please enable the "ODIC IdP" type on my Okta organization.
-
Steps to reproduce: (see example below)
-
This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
-
This would normally show up under:
- Scope: Whole organization affected
-
Business impact: (see example below)
- Unable to enable integration
- Priority: P3 - Non critical issue
- Okta org: Select from the list the organizations where Beyond Identity will be integrated.
- Case email: Your own email
- Phone number: Your phone number
- Add contact to team: <Can be left empty>
- Add attachment: <Not required>
Comments
0 comments
Please sign in to leave a comment.