This guide provides information on how to:
- Set up Beyond Identity as an MFA factor for your Okta environment with Okta Identity Engine.
Ensure that you have the following:
- A working Beyond Identity Okta integration, where Beyond Identity passwordless authentication is already used as the first factor. (Refer to the Beyond Identity Integration Guide for Okta to complete that configuration before proceeding with this guide.)
- Okta URL details and Admin privileges for the corresponding Okta org and the Beyond Identity org.
Okta “IdP Authenticator” MFA Feature is enabled.This is found under Security > Authenticators >Setup > Add Authenticator > IdP
- This is an Early Access Feature. To enable it, contact Okta Support.
- There is another similar sounding feature named “Custom OIDC Factor” which is currently in Beta. We don’t need that. We need the “IdP Authenticator”.
IdP Authenticator configuration
There are four primary steps to set up Beyond Identity as an MFA:
- Set up Beyond Identity Console for MFA Authentication
- Add Beyond Identity as the Identity Provider for use as MFA
- Setup Beyond Identity as an Authenticator
- Add a Multifactor Policy
- Add an Authentication Policy
Step 1: Setup Beyond Identity Console for MFA Authentication:
- Once logged into Beyond Identity Admin UI, click on “Integrations” tab and then click on OIDC Clients.
- Click on “Add OIDC Client” and fill in the Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
Name: Okta Critical Apps Second Factor
Redirect URIs: https://<okta_org>.okta.com/oauth2/v1/authorize/callback
- Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
Step 2: Create new user group to be used for MFA
In the Okta dashboard, navigate to Directory -> Groups -> Add Group
- Name the group: Beyond Identity MFA
Next, in the Groups tab select the user group created during Okta integration (group name should be something like Beyond Identity Users Group) and copy the group ID that appears in the URL (see screenshot below). Use it in step 3b. below.
Navigate to Directory -> Groups -> Rules -> +Add Rule
- Rule Name: Beyond Identity MFA
- IF: User Okta Expression Language
Language expression: isMemberOfAnyGroup("<Okta unique identifier>") and user.byndidRegistered == “true”
Ensure you are using the Okta unique identifier saved from the previous step
- THEN Assign to: Beyond Identity MFA
Step 3: Add Beyond Identity as the Identity Provider for use as MFA
Note: You would already have configured Beyond Identity as an OIDC provider for the first factor. Now, you will be adding the same for use as MFA.
The image below is an example of an administrator view in Okta and illustrates the actions listed below to navigate to the Identity Providers section:
- In the main Okta menu, select “Security”.
- In the “Security” drop-down, select “Identity Providers”.
- In the “Identity Providers” tab, click “Add Identity Provider”.
- Select “Add OpenID Connect IdP”.
- Select fields as seen in reference images below:
- Name: Beyond Identity MFA
- IdP Usage: Factor only
- Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Scopes: openid (Remove any additional scopes.)
- Issuer: https://auth.byndid.com/v2
- Authorization endpoint: https://auth.byndid.com/v2/authorize
- Token endpoint: https://auth.byndid.com/v2/token
- JWKS endpoint: https://auth.byndid.com/v2/.well-known/jwks.json
- Userinfo endpoint: https://auth.byndid.com/v2/userinfo
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com.
- Click on “Show Advanced Settings”.
- Set IdP Username field as “idpuser.externalId”.
- See images below for reference:
4. Setup Beyond Identity as an Authenticator
- In the Okta main menu navigate to Security → Authenticators → Setup → Add Authenticator
- Select “IdP Authenticator” and for the IdP select the Beyond Identity MFA created in step 2
5. Add Multifactor Policy
- In the Okta main menu navigate to Security → Authenticators → Enrollment → Add Multifactor Policy
- Policy Name: Beyond Identity Multi Factor
- Assign to groups: Beyond Identity MFA
- Eligible authenticators
- Beyond Identity MFA: required
- All others: optional
- After the policy has been saved, a rule dialog box will appear. Fill in the following values:
- Rule name: BI per app MFA
- Leave all other values the same and save the rule
6. Add Authentication Policy
- In the Okta main menu, navigate to Security → Authentication Policies → Add Policy
- Policy Name: Beyond Identity Per App MFA
- Once the policy has been created, select the policy and edit the Catch-all Rule
- Under the THEN heading, change the value for “AND User must authenticate with” to: Password/IdP
- Save changes
- Under the BI Per App MFA authentication policy, create a new rule by selecting Add Rule
- Rule Name: Beyond Identity MFA
- Users group membership includes
- Select: At least one of the following groups
- Choose Beyond Identity MFA group
- Under the THEN section make the following selection
- AND User must authenticate with: Password/IdP + Another factor
- Under Re-Authentication frequency make the following selections:
- Password re-authentication frequency is: Never re-authenticate if the session is active
- Re-authentication frequency for all other factors is: Every sign-in attempt
- Ensure the configuration matches the screenshots below
- Under the BI Per App MFA select the Applications tab
- Select Add app
- Search for the Beyond Identity Admin Portal app and select Add.
MFA Enrollment on first Use
- Login to your Okta end user dashboard and click on Beyond Identity Admin Portal.
- You will be prompted to set up your MFA.
Click on “Configure factor”.
Click on Enroll.
- You will be prompted to complete the Beyond Identity MFA factor enrollment by entering your local biometrics.
- Once this factor enrollment is complete, you will be prompted to enroll in the optional MFA factor (Okta Verify).
You can skip it and click on Finish.
- You will be prompted again to authenticate using the newly enrolled MFA.
- After the certificate-based authentication is complete, you will be prompted for your local biometrics.
- Once the biometrics check is completed, you will be signed in to the Beyond Identity Admin Console.
Using MFA with Beyond Identity User Console
If the customer wants to use Beyond Identity MFA with the Beyond Identity User Console, you will need to complete the following steps to ensure new users with no credential are not prompted to enroll in MFA
- Create a new user group called “Beyond Identity Enrolled Users”
Navigate to the Beyond Identity user group that is assigned to the Beyond Identity User portal and copy/save the group ID.
- In Okta navigate to Directory → Groups → Rules and create a new rule
Name this rule Beyond Identity Enrolled Users
- Select “Use Okta Expression Language”
- Use “IsMemberOfAnyGroup("") and user.byndidRegistered == true” as the rule and copy in the group ID saved from step 2 between the double quotes
Assign this rule to the “Beyond Identity Enrolled Users” group
- Now you can create an MFA policy for the Beyond Identity User portal and only users who have registered with Beyond Identity will be asked to enroll in Beyond Identity MFA