Introduction

This guide provides information on how to:

• Set up Beyond Identity as a passwordless authentication solution for your Google Workspace environment.
• Set up Google Workspace to use Beyond Identity as an Identity Provider.

 

Before you begin

This section enumerates some items you should be aware of before configuring Google as an SSO provider with Beyond Identity.

• Users who are administrators in Google Workspace cannot use IdP Delegation and must always use their Google password as their primary factor of authentication.
• Multi-Factor options are limited in Google Workspace in comparison to most SSO providers. Beyond Identity cannot be used as a multi-factor step-up option for continuous authentication.
• Google does not currently support Beyond Identity for SCIM provisioning. The Beyond Identity team is currently working to get the BI solution into the Google Marketplace to enable this functionality. 

 

Prerequisites

Ensure that you have the following:

1. A Google Administrator account to
   1. Add/edit users into Google Directory
   2. Add/edit Identity Providers in Security > Authentication > Set up single-on (SSO) with a 3rd party IdP 

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

 

Information you will receive from the Beyond Identity Field Team:

Beyond Identity Configuration

To configure Beyond Identity as the IdP in Google, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.

• Create Groups for Beyond Identity Admins & Test users
• Configure Beyond Identity Admin Console & User Console as Service Provider Apps

 

1. Set up GOOGLE DIRECTORY Groups 

 

Beyond Identity service assignment is required for IT Admin and End Users. The following steps describe how to create BI_Admins, and BI_Users groups and assign users to those groups.

1. Login to Google WorkSpace admin console as an Administrator.
2. On the homepage of the Google Workspace Admin console, select Directory > Groups.
3. On the Groups page click on “Create group”.

 

 

4. Create a new Beyond Identity Admins group by selecting the following parameters.
   1. Name: BI_Admins
   2. Group Email: bi_admins@<customer-domain-name>
   3. Description: Beyond Identity Admins
   4. Group Owner: Select Appropriate member as the group owner.
   5. Check Security label checkbox
   6. Click on “Next” to create this group.

 

 

5. On the “Group Settings” Page set following parameters:
   1. Deselect all permissions from “External”, “Entire Organization” and “Group Members” Columns.
   2. Only “Group Owners” & “Group Manager” should have permissions for Access Settings and Membership settings.
   3. Who Can join the group: Only Invited Users
   4. Click “Next” to create this group.

 

6. Add members to the “BI_Admins” group.
7. On the Groups page click on “Create group”.
8. Create a new Beyond Identity Users group by selecting the following parameters.
   1. Name: BI_Users
   2. Group Email: bi_users@<customer-domain-name>
   3. Description: Beyond Identity Users
   4. Group Owner: Select Appropriate member as the group owner.
   5. Check Security label checkbox
   6. Click on “Create Group”.
9. On the “Group Settings” Page set following parameters:
   1. Deselect all permissions from “External”, “Entire Organization” and “Group Members” Columns.
   2. Only “Group Owners” & “Group Manager” should have permissions for Access Settings and Membership settings.
   3. Who Can join the group: Only Invited Users
   4. Click on “Create Group”.

 

 

10.  For both BI_Admins and BI_Users group, click on group name and then group information dropdown. Click to edit the labels and ensure “Security” is checked. (There may be additional labels in there.)

l

2. Google SSO Information for Beyond Identity APPS

1. Login to Google WorkSpace admin console (https://admin.google.com) as an Administrator.
2. On the homepage of the Google Workspace Admin console, select Security -> SSO with SAML Applications.
3. Please note SSO URL, and Entity ID and download certificate or Download Metadata file.

 

 

3. Setup Admin Console Access in Beyond Identity Support Console

1. Provide “SSO URL”, “Entity ID” and “SAML Signing Certificate” or “IdP Metadata” file collected from the previous step to the Beyond Identity field team. The Beyond Identity team will collect and populate those values using Beyond Identity Support Console.
2. Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console SSO Configuration.
   1. Click on “Add SAML SSO”
   2. Upload XML file from the previous step or populate the following fields.
   3. Name: Google SSO
   4. IdP Url: https://accounts.google.com/o/saml2/idp?idpid=xxxxx  (Provided by the customer as SSO URL)
   5. IdP Entity Id: https://accounts.google.com/o/saml2?idpid=xxxx (Provided by the customer as Entity ID)
   6. Name ID Format: emailAddress (select from the pull-down menu)
   7. Subject User Attribute: UserName
   8. Request Binding: http redirect
   9. Upload the Certificate (Base64)
3. Please note “SP Single Sign-on URL” and “SP Issuer” field and provide to the customer. This information will be needed in the next step.

4. Setup Beyond Identity Admin Console Application in Google

1. On the homepage of the Google Workspace Admin console, select Apps > Web and Mobile Apps
2. Select ‘Add App’, and on the drop down, select ‘Add custom SAML app’

 

3. Name the application and App icon as follows:
   1. App Name: “Beyond Identity Admin Console”
   2. App icon: Upload Beyond Identity Logo provided by Beyond Identity field team.
   3. Click on the “Continue” button in the lower right corner to go to the next step.
4. On the Google Identity Provider Details tab Click on the “Continue” button in the lower right corner to go to the next step.

 

5. On the Service Provider Details tab populate following fields.
   1. ACS URL: (e.g. https://admin.byndid.com/auth/saml/<Connection-ID>/sso) Enter value provided by Beyond Identity Field team.
   2. Entity ID: (e.g. https://admin.byndid.com/auth/saml/<Connection-ID>/sso/metadata.xml) Enter value provided by Beyond Identity Field team.
   3. Start URL: https://admin.byndid.com/auth/?org_id=<BI_Tenant_Name> (Replace BI_Tenant_Name with value provided by BI Field team)
   4. Ensure Signed Response is unchecked
   5. Certificate: from pull down select Google certificate used to sign assertion.
   6. Name ID Format: EMAIL (select from pull down menu)
   7. Name ID: Basic Information > Primary email (select from pull down menu)
   8. Click on the “Continue” button in the lower right corner to go to the next step.

6. On the “Attribute mapping” tab Select ‘Finish’. There is no need to map any attributes.

7. On the Beyond Identity Admin Console App’s page under “user access” click on the down arrow to configure “service status”. 
   1. Under Organization Units, select “Off for everyone”.
   2. Under Groups search for “BI_Admins” group and set “Service Status” to ON.
   3. Click on Save.
8. After these values are provisioned, login and confirm that the admin (user from the BI_Admins group) can login to the Beyond Identity Admin Console (https://admin.byndid.com)

5. Setup Beyond Identity User Portal Authentication

1. Once logged into Beyond Identity Support Portal UI, click on Settings -> SSO -> User Console SSO Integration and click on Edit.
2. Please configure the following fields for User Console Authentication.
   1. Click on “Add SAML SSO”
   2. Click on “Upload XML” or populate the following fields as shown below.
   3. Name: Google SSO
   4. IdP Url: https://accounts.google.com/o/saml2/idp?idpid=xxxxx  (Provided by the customer as SSO URL)
   5. IdP Entity Id: https://accounts.google.com/o/saml2?idpid=xxxx (Provided by the customer as Entity ID)
   6. Name ID Format: emailAddress (select from the pull-down menu)
   7. Subject User Attribute: UserName
   8. Upload the Certificate (Base64) (Provided by the customer as Entity ID)
3. Click on Save Changes.
4. Please note “SP Single Sign-on URL” and “SP Issuer” field which is required in Step-6.6.

 

6. Setup Beyond Identity User Console Application in Google

1. Login to Google WorkSpace admin console (https://admin.google.com) as an Administrator.
2. On the homepage of the Google Workspace Admin console, select Apps > Web and Mobile Apps
3. Select ‘Add App’, and on the drop down, select ‘Add custom SAML app’

 

4. Name the application and App icon as follows,
   1. App Name: “Beyond Identity User Console”
   2. App icon: Upload Beyond Identity Logo provided by Beyond Identity field team.
   3. Click on the “Continue” button in the lower right corner to go to the next step.
5. On the Google Identity Provider Details tab Click on the “Continue” button in the lower right corner to go to the next step.

 

6. On the Service Provider Details tab perform populate following fields.
   1. ACS URL: (e.g. https://user.byndid.com/auth-user/saml/<connection-id>/sso) Enter value provided by Beyond Identity Field team.
   2. Entity ID: (e.g. https://user.byndid.com/auth-user/saml/<connection-id>/metadata.xml) Enter value provided by Beyond Identity Field team.
   3. Start URL: https://user.byndid.com/auth-user/?org_id=<BI_Tenant_Name> (Replace BI_Tenant_Name with value provided by BI Field team)
   4. Certificate: from pull down select Google certificate used to sign assertion.
   5. Name ID Format: EMAIL (select from pull down menu)
   6. Name ID: Basic Information > Primary email (select from pull down menu)
   7. Click on the “Continue” button in the lower right corner to go to the next step.
   8. Ensure that “Signed response” is turned off

 

7. On the “Attribute mapping” tab Select ‘Finish’. There is no need to map any attributes

9. On the Beyond Identity User Console App’s page under “user access” click on the down arrow to configure “service status”. 

1. Under Organization Units, select “Off for everyone”.
2. Under Groups search for “BI_Users” group and set “Service Status” to ON.
3. Click on Save.

 

7. Setup Beyond Identity Service for USER AUTHENTICATION

1. Once logged into Beyond Identity Admin Console UI, click on “Integrations” tab and then click on “SAML”.
2. Click on “Add SAML Connection” and update the fields as following:
   1. Name: Beyond Identity IdP
   2. SP Single on URL: https://www.google.com/a/<google-domain-name>/acs (Replace google domain name with customer’s domain name. e.g. zeropw.app
   3. SP Audience URI: https://google.com
   4. Name ID Format: emailAddress
   5. Subject User Attribute: UserName
   6. Request Binding: http-redirect
   7. Signed Response: Signed
   8. Authentication Context Class: x509
   9. Click on “Save Changes”.

 

 

3. Note down the following fields from the recently created SAML Connection. This will be required in the next step.
   1. IdP Id (Beyond Identity Connection ID)
   2. IdP Single Sign-On URL: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso
   3. IdP Issuer: https://auth.byndid.com/saml/v0/<BI-Connection-ID>/sso/metadata.xml
   4. Download IdP Signature Certificate

 

8. SETUP Beyond Identity as a 3rd Party IdP in the Google Admin Console

1. In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Third-Party SSO Profile
   1. Click “Add SSO Profile”
   2. Enable “Set up SSO with third party Identity Provider”.
   3. Update “Sign-In page URL” field with “IdP Single Sign-On URL” from the previous step. 
   4. Leave the sign-out page as https://www.google.com (unless there is another preferred sign-out page)
   5. Select ‘REPLACE CERTIFICATE’ and upload the IdP certificate you uploaded from the Beyond Identity Admin console in the previous step.
   6. Click “Save”

 

 

2. In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Manage SSO Profile Assignments.
   1. For the top Organization Unit select SSO Profile assignment as follows.
   2. SSO Profile Assignment: None (User Sign in with Google)
   3. Click on Save.
3. In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Manage SSO Profile Assignments.
   1. Under Groups select “BI_Users” group.
   2. For the “Manage SSO Profile Assignments” select “Organization's third-party SSO profile”
   3. Click on Override.
4. In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Domain-specific Service URLs.
   1. Click “Require users to enter their username on Google’s sign-in page first”.
   2. Click “Save”.

 

5. In the Google Admin Console, on the top left menu drop down, select Security > Authentication -> SSO with third party IdP -> Third-party SSO Profiles
   1. Click on Beyond Identity
   2. Copy SP Details Entity ID and SP Details ACS URL.
   3. Go to Beyond Identity Admin Console configuration Step 7.2 and modify SP SSO URL and SP Audience URI and Save the changes.

Note: SP Entity ID from Google goes in the SP Audience URI field in BI and SP ACS URL from Google goes in the SP SSO URL field in BI (these values are in opposite order in the 2 screens).

 

9. Configure SCIM for User & Group Provisioning

Google Workspace does not support SCIM for non-gallery applications currently. We are working with Google to enable this feature for Beyond Identity.

 

10. Turn on 2-step verification (Optional)

If you wish to turn on 2-step verification in addition to BI passwordless, here are the steps: 

 

1. First, turn on 2-step verification for the Admin account by going to Account > Security settings.
2. As an end-user, turn on 2-step verification for one of the users by going to Account > Security settings.
3. As an Admin, go to Authentication > 2-step verification, select correct OU, select "Allow users to turn on 2-Step Verification", Enforcement "on", select other options as desired, SAVE 
4. As an Admin, go to Login Challenges > Select Correct OU, Post SSO verification, select "Logins using SSO are subject to additional verifications (if appropriate) and 2-Step Verification (if configured)", OVERRIDE. 
5. Test.

11. Setting up test users

 

10.1 User Enrollment

1. To enroll a user in the Beyond Identity experience, assign the user to the “BI_Users” Group.
   1. Click on Directory -> Groups
   2. Select the “BI_Users” group.
   3. Click on “Add Members”.
   4. Find Users and assign them to this group.
   5. Click “Add to Group”.
2. Create Users in Beyond Identity Directory with following Parameters:
   1. External ID (e.g. same as username)
   2. Email
   3. Username
   4. Display Name

3. Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
   1. See image below for reference:

 

 

4. Each enrolled user will be asked to follow the two steps below:
   1. Step 1: Download the Beyond Identity Authenticator to their device.
      1. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
   2. Step 2: Register their Credential in the Beyond Identity IdP.
      1. By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator. 
      2. See example image below:

 

 

10.2 User Authentication (Signing in)

1. Each enrolled user can visit any application supported by your SSO to sign into their corporate applications. 
2. The SSO-supported application will ask the user to enter their username. 
3. Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user.
4. The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.

 

10.3 User Deprovisioning

1. To deprovision a user from the Beyond Identity experience, remove the user from the “BI_Users” Group.
   1. Click on Directory -> Groups
   2. Select the “BI_Users” group.
   3. Click on “Manage Members”.
   4. Click on the “-” sign next to the user's name in the column titled “Members”.
   5. Click “Remove Members”.
2. To remove or suspend users from Beyond Identity cloud, login to the admin console and go to the Users tab.
   1. Select the user by clicking on their name.
   2. Once on the user specific page, click deactivate to suspend the user or “Delete User” to permanently delete the user from Beyond Identity cloud.