Introduction
This guide provides information on how to:
- Set up Beyond Identity as an MFA factor for your Okta environment.
Prerequisites
Ensure that you have the following:
- A working Beyond Identity Okta integration, where Beyond Identity passwordless authentication is already used as the first factor. (Refer to the Beyond Identity Integration Guide for Okta to complete that configuration before proceeding with this guide.)
- Okta URL details and Admin privileges for the corresponding Okta org and the Beyond Identity org.
-
Okta “IdP Factor” MFA Feature is enabled.
- This is an Early Access Feature. To enable it, contact Okta Support.
- There is another similar sounding feature named “Custom OIDC Factor” which is currently in Beta. We don’t need that. We need the “IdP Factor”.
Idp factor configuration
There are four primary steps to set up Beyond Identity as an MFA:
- Set up Beyond Identity Console for MFA Authentication
- Add Beyond Identity as the Identity Provider for use as MFA
- Enable the IdP factor at tenant level, create policy, and rule for factor enrollment
- Enable MFA as a sign-on Policy per app
Step 1: Setup Beyond Identity Console for MFA Authentication:
- Once logged into Beyond Identity Admin UI, click on “Integrations” tab and then click on OIDC Clients.
- Click on “Add OIDC Client” and fill in the Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
Name: Okta Critical Apps Second Factor
Redirect URIs: https://<okta_org>.okta.com/oauth2/v1/authorize/callback
- Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
Step 2: Add Beyond Identity as the Identity Provider for use as MFA
Note: You would already have configured Beyond Identity as an OIDC provider for the first factor. Now, you will be adding the same for use as MFA.
The image below is an example of an administrator view in Okta and illustrates the actions listed below to navigate to the Identity Providers section:
- In the main Okta menu, select “Security”.
- In the “Security” drop-down, select “Identity Providers”.
- In the “Identity Providers” tab, click “Add Identity Provider”.
- Select “Add OpenID Connect IdP”.
- Select fields as seen in reference images below:
- Name: Beyond Identity MFA
- IdP Usage: Factor only
- Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Scopes: openid (Remove any additional scopes.)
- Issuer: https://auth.byndid.com/v2
- Authorization endpoint: https://auth.byndid.com/v2/authorize
- Token endpoint: https://auth.byndid.com/v2/token
- JWKS endpoint: https://auth.byndid.com/v2/.well-known/jwks.json
- Userinfo endpoint: https://auth.byndid.com/v2/userinfo
-
NOTE! The endpoints are different for the US vs. EU.
For Beyond Identity’s EU services use auth-eu.byndid.com and api-eu.byndid.com. - Click on “Show Advanced Settings”.
- Set IdP Username field as “idpuser.externalId”.
- See images below for reference:
Advanced Settings:
Step 3: Enable the IdP factor at tenant level, create policy, and rule for factor enrollment
In this step, we will enable the IdP factor. It is advisable that you configure multiple MFA factors, so that users have the option to fall back to another factor in case one of the factors is not working. Therefore, we will also configure Okta Verify and SMS Authentication.
Please note: If a customer already has another MFA factor enabled, you do not need to configure an additional one, you can move forward with enabling Beyond Identity MFA
- From the admin dashboard, navigate to Security > Multifactor.
- Click on Okta Verify and select Activate (Optional)
- Click on SMS Authentication and select Activate (Optional)
- Click on IdP Factor to use an Identity Provider (IdP) integration as an authenticator and Select Activate.
- Click Edit and Select “Beyond Identity MFA” from the pull down menu.
- Click Save
- On the Multifactor page click on the “Factor Enrollment” tab and add the IdP factor to your org's factor enrollment policy.
-
Click on Add Multifactor Policy
- Policy name: Beyond Identity MFA Policy
- Policy description: Beyond Identity MFA Policy
- Assign to groups: Beyond Identity
- Eligible Factors
- Okta Verify: Optional
- SMS Authentication: Disabled
- IdP Factor: Required
- Click Create Policy.
-
Add Rule
- Rule Name: Beyond Identity MFA Rule
- THEN clause Enroll on multi-factor: select the first time a user signs in
- Leave other fields to the default values.
- Click Create Rule
-
PLEASE NOTE: Some tenants may have an option for User Is Accessing. In this case, please ensure they select
- Okta
- Applications (and select aAny application that supports MFA enrollment)
-
On the Multifactor page click on the “Factor Enrollment” tab and Click on “Default Policy” edit “Default Policy” as follows.
-
Under “Eligible Factors” mark “IdP Factor” as disabled if you do not want to enable Beyond Identity MFA by default for all users.
- IdP Factor: Disabled
- Leave other parameters unchanged.
- Click Update Policy.
-
Under “Eligible Factors” mark “IdP Factor” as disabled if you do not want to enable Beyond Identity MFA by default for all users.
Step 4: Enable MFA as a sign-on Policy per app
In this step we are enabling MFA for “Beyond Identity Admin Portal”. Please follow these steps for the application for which you would like to enable MFA.
- From Okta Admin Portal, Go to Applications > Applications > Beyond Identity Admin Portal
- Click on the “Sign On” tab.
- On the “Sign on” tab scroll down to the “Sign On Policy” section.
-
Click “Add Rule” and Enter following details:
- Rule Name: “Per App MFA”
- “Who does this rule apply to?”, select “Users assigned this app”
-
Under the “Access” section
- Select “Prompt for factor”
- Select “Every sign on”
- Leave other sections with default value.
- Click Save.
Testing MFA
MFA Enrollment on first Use
- Login to your Okta end user dashboard and click on Beyond Identity Admin Portal.
- You will be prompted to set up your MFA.
- Click on “Configure factor”.
- Click on “Enroll”
- You will be prompted to complete the Beyond Identity MFA factor enrollment by entering your local biometrics.
- Once this factor enrollment is complete, you will be prompted to enroll in the
optional MFA factor (Okta Verify).
- You can skip it and click on Finish.
- You will be prompted again to authenticate using the newly enrolled MFA.
- Click “Verify”.
- After the certificate-based authentication is complete, you will be prompted for your local biometrics.
- Once the biometrics check is completed, you will be signed in to the Beyond Identity Admin Console.
Using MFA with Beyond Identity User Console
If the customer wants to use Beyond Identity MFA with the Beyond Identity User Console, you will need to complete the following steps to ensure new users with no credential are not prompted to enroll in MFA
- Create a new user group called “Beyond Identity Enrolled Users”
-
Navigate to the Beyond Identity user group that is assigned to the Beyond Identity User portal and copy/save the group ID
- In Okta navigate to Directory → Groups → Rules and create a new rule
-
Name this rule Beyond Identity Enrolled Users
- Select “Use Okta Expression Language”
- Use “IsMemberOfAnyGroup("") and user.byndidRegistered == true” as the rule and copy in the group ID saved from step 2 between the double quotes
-
Assign this rule to the “Beyond Identity Enrolled Users” group
- In Step 3 Part 8, replace the user group with the newly created “Beyond Identity Enrolled Users” group
- Now you can create an MFA policy for the Beyond Identity User portal and only users who have registered with Beyond Identity will be asked to enroll in Beyond Identity MFA
Comments
0 comments
Please sign in to leave a comment.