Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Okta environment.
- Set up Okta to use Beyond Identity as an Identity Provider.
Prerequisites
Ensure that you have the following:
- An Okta account with “Super” or “Organization” admin privileges to:
- Add/edit attributes and their mappings in Directory > Profile Editor.
- Add/edit Identity Providers in Security > Identity Providers.
- Add/edit routing rules in Security > Identity Providers -> Routing Rules.
- Add/edit Event Hooks in Workflow > Event Hooks (Optional).
- “OpenID Connect IdP” and “Routing Rules” are enabled for the account .
- Test that “OpenID Connect IdP” is enabled by verifying you have "Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP" available. If you do not, then contact Okta to open a support ticket to enable “OpenID Connect IdP”. For a template of the ticket to create with Okta, see Appendix B.
- Ensure the “Routing Rules” tab is available on the Security->Identity Providers page. If the “Routing Rules” tab is missing, contact Okta to open a support ticket to enable “Routing Rules” on the Identity Provider page.
Beyond Identity Configuration
Information you will need:
Your Company Name | |
Your Okta Instance URL e.g. https://[your-domain].okta.com |
|
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint JWKS endpoint UserInfo endpoint |
https://auth.byndid.com/v2/authorize https://auth.byndid.com/v2/token https://auth.byndid.com/v2/.well-known/jwks.json |
SCIM / Event Hook API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
Event Hook API endpoint | https://api.byndid.com/okta_events |
SCIM API endpoint |
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com.
Okta Configuration
To configure Beyond Identity as the IdP in Okta, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Step 1: Navigate to the Profile Editor
The image below is an example of an administrator view in Okta and illustrates the actions listed below to navigate to the Profile Editor:
- Sign into the Okta portal as an administrator.
- In the main Okta menu, select “Directory”.
- In the “Directory” drop-down menu, select “Profile Editor”.
- Find your “Okta User (default)” or appropriate profile and click on hyperlink to Edit Profile.
- Under the user profile editor, you will see an action to “Add Attribute”. See image below:
- Click on “Add Attribute”.
- Select fields as shown in the following image:
- Data Type: Boolean
- Display Name: Beyond Identity Registration Status
- Variable Name: byndidRegistered
- Description: Beyond Identity Registration Status
- User Permission: Read Only
- Click Save. See image below for reference:
- Select fields as shown in the following image:
- If you have multiple profile masters (applicable for AD mastered users), then perform the following steps.
- Click on edit button for “byndidRegistered” attribute in Okta profile.
- For the “Master Priority” field select “Inherit from Okta” from the pull-down menu.
- Click on Save Attribute. Please, see image below for reference:
Step 2: Add Beyond Identity User Group
- Click on Directory-> Groups
- Click on “Add Group”
- Select fields as shown in the following image:
- Name: “Beyond Identity”
- Description: “Beyond Identity Users Group”
- Click Save.
Step 3: Setup Beyond Identity User Portal Application in Okta
- Click on Applications -> Applications -> Browse App Catalog
- In Search window type “Beyond Identity User”
- Select App with title “Beyond Identity User Portal”.
- Click Add.
- Now you will see a pop up with the following information.
- General Settings
- Application Label: “Beyond Identity User Portal”
- Click Done.
- In the Assignment Tab, click on “Assign” and from the drop down the select “Assign to Groups”. Click on the “Assign” button for the “Beyond Identity” group.
- In the “Sign On” tab update the following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and use it in the next step.
- Click on “Save”.
- In the “Provisioning” tab update the following fields.
- Click on “Configure API Integration”.
- Then click on “Enable API Integration”.
- In the API token field paste the API token provided by the Beyond Identity team.
- Select “Import Groups” if it is not enabled by default.(This is only available in Okta Production instances and not in Developer or Preview instances.)
- Then click on “Test API Credentials”.
- After seeing the message “Beyond Identity User Portal was verified Successfully”. Save the configuration.
- After setting up SCIM in the above step, make the following changes in the “Provisioning” Tab.
- In the “Provisioning to App” section, click on Edit.
- For the “Create Users”, “Update User Attributes” and “Deactivate Users” click on Enable.
- Save the changes by clicking on “Save”.
- Make following changes in the “Provisioning” Tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.
- In the “Integration” section, click on Edit.
- Select “Import Groups” if it is not enabled by default.
- Save the changes by clicking on “Save”.
- To sync groups with Beyond Identity:
- Click on the Push Groups tab.
- Click the Push Groups drop-down menu.
- To define which groups are synced with Beyond Identity:
- Select Find groups by name: Searches for specific groups to push.
- Select Find groups by name: Searches for specific groups to push.
Step 4: Setup User Portal Access in Beyond Identity
- Once logged into Beyond Identity Admin UI, click on Settings -> Console Login-> User Console SSO Integrations and click on Add OIDC SSO.
- Please configure the following fields for User Console SSO Integrations.
- Name: Okta OIDC SSO
- Client ID: <Use the value recorded in the previous step>
- Client Secret: Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember to not have a trailing slash after issuer URL)
- Token Field: sub
- Token Field Lookup: external id
- Scopes: Select all [Alternately select Profile , email] - Optional
- Click on Save Changes.
Step 5: Setup Beyond Identity Admin Application in Okta
- Click on Applications -> Applications -> Browse App Catalog.
- In Search window type “Beyond Identity Admin”
- Select App with title “Beyond Identity Admin Portal”.
- Click Add.
- In the “General Settings” update following fields
- Application Label: “Beyond Identity Admin Portal”
- Click Done.
- In the Assignment Tab Assign “Admins” to this Application.
- In the “Sign On” tab update the following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” fields. You will be using them in follow up steps.
Step 6: Setup Admin Portal Access in Beyond Identity
- Login to Beyond Identity Admin Console and click on Settings.
- Once logged into Beyond Identity Admin UI, click on Settings -> Console Login-> Admin Console SSO Integrations and click on Add OIDC SSO.
- Please configure the following fields for Admin Console SSO Integrations.
-
- Name: Admin Console SSO - Okta
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL) (Remember to not have a trailing slash after issuer URL)
- Token Field: sub
- Token Field Lookup: external id
- Scopes: Select all [Alternately select Profile , email] - Optional
- A user should also be assigned an Admin role for the admin to be able to access the Beyond Identity Admin console
-
- To assign a role to a user, Navigate to Settings -> Console Access Control -> Click on a predefined admin role (In this case we are selecting “Super Administrators”)
- Once the role has been selected, Click on “Assign Access role to users” and type in the name of the user that requires admin access.
- Select Assign users to role to promote the user to Admin
- Alternatively you could assign user groups to Admin roles.
- To assign a role to a user group, Navigate to Settings -> Console Access Control -> Click on one of the predefined admin role
- Once the role has been selected, Click on the “Groups” tab.
- Click on “Assign Access role to Groups” and type in the name of the Group or select the Group from the dropdown that requires admin access.
- Once selected, Click on “Assign groups to role” to save the changes.
- After these values are provisioned, the customer should login and confirm that admin has access to Beyond Identity Console through Okta SSO.
Step 7: Setup Federated SSO for User Authentication:
- Once logged into Beyond Identity Admin UI, click on the “Integrations” tab and then click on OIDC Clients.
- Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
- Name: Okta SSO
- Redirect URIs: https://<okta-tenant-name>.okta.com/oauth2/v1/authorize/callback
- Token Signing Algorithm: RS256
- Auth Method: Client_secret_post
- Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
- On the “Integrations” tab, click on “Okta” and then click on Install for “Okta Registration Attribute”.
- Fill information for Okta Domain, Okta API Token for your tenant. Also, update “Okta Registration Attribute” with default value of “byndidRegistered” or the value chosen by your organization in Step 1. Click on “Save Changes”.
Step 8: Configure Beyond Identity as the Identity Provider
- In the main Okta menu, select “Security”.
- In the “Security” drop-down, select “Identity Providers”.
- In the “Identity Providers” tab, click “Add Identity Provider”.
- From the next screen, select ‘OpenID Connect Identity Provider’ and select ‘Next’
- Select fields as seen in reference images below:
- Name: Beyond Identity
- IdP Usage: SSO only
- Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Scopes: openid (Remove any additional scopes.)
- Issuer: https://auth.byndid.com/v2
- Authorization endpoint: https://auth.byndid.com/v2/authorize
- Token endpoint: https://auth.byndid.com/v2/token
- JWKS endpoint: https://auth.byndid.com/v2/.well-known/jwks.json
- Userinfo endpoint: https://auth.byndid.com/v2/userinfo
- NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com. - Under Authentication Settings.
- Set IdP Username field as “idpuser.externalId”.
- Set Match Against field as “Okta Username”.
- Account Link Policy: Automatic
- Auto-Link Restrictions: None
- Set “If no match is found” field to “Redirect to Okta Sign-in Page”.
- Select “Finish” to save changes.
- See images below for reference:
Step 9: Configure OIDC client for Step-Up authentication (Required only for Step-up Authentication)
- Repeat all of the actions from Step 8 to create an OIDC provider for Step-Up authentication WITH THE EXCEPTION of specifying a different name and selecting IdP Usage: Factor only
Step 10: Set up Routing Rules
- Click on Security-> Identity Providers
- Select “Routing Rules”
- Click on “Add Routing Rule” and set the following parameters.
- Rule Name: Beyond Identity Auth
- Default value for User IPs, Device Platform, Applications
- Set User Matches to “User Attribute” and “byndidRegistered Equals true”
- Note: These values are case sensitive. Ex. “True” will not work but “true” will.
- Set “Then Use the Identity Provider” as “Beyond Identity”.
- Click “Save and Activate Rule”.
- This Rule will be set as a first rule.
- See images below for reference:
- Ensure your newly created Routing Rule has the highest precedence
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select the “Beyond Identity” group.
- Click on “Manage People”.
- Click on the “+” sign next to the user's name in the column titled “Not Members”.
- Click Save.
- Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider. See image below for reference:
- Each enrolled user will be asked to follow the two steps below:
- Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
- Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their Okta instance or any application supported by your SSO to sign into their corporate applications.
- The Okta application or SSO-supported application will ask the user to enter their username.
- Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
- The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove the user from the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select the “Beyond Identity” group.
- Click on “Manage People”.
- Click on the “-” sign next to the user's name in the column titled “Members”.
- Click Save.
Appendices
Appendix A: Creating a token in Okta
The image below is an example of an administrator view in Okta and illustrates the actions listed below:
- Sign into the Okta portal as an administrator.
- Once signed in, select “Classic UI” from the drop-down menu on the left side of the top-most bar.
- In the main menu bar for Okta, select “Security”.
- In the “Security” drop-down menu, select “API”.
- In the “API” section, select the “Tokens” tab.
- Click “Create Token”.
- In the “Create Token” form, provide your name for the token (e.g. Beyond Identity).
Appendix B: Opening a ticket to enable OpenID Connect IDP connections in Okta
The image below is an example of how to open a case with Okta requesting them to enable OpenID IDP Connections in Okta Sandbox and Production environments.
- Navigate to Okta’s Open Case Center at https://support.okta.com/help/s/opencase.
- Create a case with the following information:
- Request Type: Okta org request
- Subject: Enable OIDC Provider Type
- Detailed Description: (see example description below)
- Please enable the "ODIC IdP" type on my Okta organization.
My Organization Id is: <ORG_ID>
This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
- Please enable the "ODIC IdP" type on my Okta organization.
- Steps to reproduce: (see example below)
- This would normally show up under:
"Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"
- This would normally show up under:
- Scope: Whole organization affected
- Business impact: (see example below)
- Unable to enable integration
- Priority: P3 - Non critical issue
- Okta org: Select from the list the organizations where Beyond Identity will be integrated.
- Case email: Your own email
- Phone number: Your phone number
- Add contact to team: <Can be left empty>
- Add attachment: <Not required>
Comments
0 comments
Please sign in to leave a comment.