Introduction
About
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your PingFederate environment
- Set up PingFederate to use Beyond Identity as an Identity Provider.
- Setup PingFederate to provision users in Beyond Identity Cloud using SCIM.
Prerequisites
Ensure that you have the following:
- A PingFederate account with admin privileges to:
- Add/edit IDP Connection in Service Provider -> IDP Connections
- Add/edit Authentication Policy Contracts in Service Provider -> Policy Contracts
- Add/edit Authentication Policies in Service Provider -> Policies
- Configure DataStore
Information you will need during deployment
Information to provide to the Beyond Identity Field Team
Your Company Name | |
Your Pingfederate Instance admin URL e.g., https://[pingfed-instance-host] /pingfederate/app |
|
Beyond Identity Admin Console Application credentials SSO Client Id SSO Client Secret |
|
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret |
This will be updated by customer directly in Beyond Identity Admin Console UI. |
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information to receive back from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint JWKS endpoint |
https://auth.byndid.com/v2/authorize |
Client ID | [From Beyond Identity Admin Console] |
Client Secret | [From Beyond Identity Admin Console] |
SCIM API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID [Tenant] | [From Beyond Identity SE] |
SCIM API endpoint |
-
PingFederate Configuration
To configure Beyond Identity as the IdP in PingFederate, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
-
Add Beyond Identity User Group
From Pingfederate admin console, click on “Datastores” and identify the Datastore that is to be used. In the LDAP Data Store (Active Directory) create a group named “Beyond Identity Users”. Depending on the Data Store in use, use the corresponding GUI or CLI to create the group. For example, ADSIEdit or ldapmodify. After successfully creating the group, you will see the group information as below.
- dn: e.g. CN=Beyond Identity Users,CN=Users,DC=beyondadfs,DC=com
- objectClass: top
- objectClass: group
- cn: Beyond Identity Users
Using GUI or CLI, add users as members of this group. Members will be synchronized using Pingfederate SCIM outbound provisioning to Beyond Identity.
-
Setup Beyond Identity Admin Console Application in PingFederate
First create an access token manager using Pingfederate admin console, Applications=>Access Token Management=>Create New Instance. The access token manager created below is called “bidtoken”. Set this as the DEFAULT ACCESS TOKEN MANAGER when configuring admin console application.
In Pingfederate admin console, use Applications->OAuth->Clients to set up. Key input items are
- CLIENT AUTHENTICATION: client secret
- Client ID: e.g rrlabs-pingfederate
- CLIENT SECRET: select “CHANGE SECRET” and click “Generate Secret”. Share this with Beyond Identity.
- REDIRECT URIS: https://admin.byndid.com/auth/callback
- ALLOWED GRANT TYPES: Authorization code
- DEFAULT ACCESS TOKEN MANAGER: bidtoken
-
Setup Beyond Identity Admin Console Access
Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.
- Name: Pingfederate BI admin console
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://pingfedearte-instance-port(Provided by the customer as issuer URL)
- Token Field: sub
- Token Field Lookup: user_name
-
Setup Beyond Identity User Console Application in PingFederate
In Pingfederate admin console , use Applications=> OAuth=> Clients to set up Beyond Identity User Console Application. Key input items are
- CLIENT AUTHENTICATION: client secret
- Client ID: e.g rrlabs-pingfederate-user-portal
- CLIENT SECRET: select “CHANGE SECRET” and click “Generate Secret”. Share this with Beyond Identity field team.
- REDIRECT URIS: https://user.byndid.com/auth-user/callback
- ALLOWED GRANT TYPES: Authorization code
- DEFAULT ACCESS TOKEN MANAGER: bidtoken
-
Setup Beyond Identity User Console OIDC client
Once logged into Beyond Identity Admin Console UI, click on Settings-> SSO-> User Console SSO Integrations and click on Edit.
Please configure the following fields for User Console SSO Integration.
- Name: RRLABS PF BI user portal
- Client ID: <Use the value recorded in the previous step>
- Client Secret: Use the value recorded in the previous step>
- Issuer: https://pingfed.byndid.me:9031
- Token Field: sub
- Token Field Lookup: user_name
-
Setup Beyond Identity Admin Console OIDC client
Once logged into Beyond Identity Admin Console UI, click on the “Integrations” tab and then click on OIDC Clients.
Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
- Name: Pingfederate OIDC
- Redirect URIs: for example, https://pingfed.byndid.me:9031/sp/eyJqD3ROiJodHRwczpcL1wvYXV0aC5ieW5kaWQuY29tXC92MiJ9/cb.openid . If not ready at hand use a dummy like the above and update after PingFed side configuration is complete with real value of Redirect-URI)
- Token Signing Algorithm: RS256
- Auth Method: Client_secret_basic
- Client ID: Copy Client ID and use it in following section.
- Client Secret: Copy Client Secret and use it in following section.
-
Create password credential validators
PingFederate uses password credential validators to validate username, passwords input in HTML forms. We create a password credential validator of type “LDAP username Password Credential Validator”, to be used by users who are noy enrolled with BI authenticator.
From PingFederate admin console,
Here is the “adpwdcredvalidator” for example created
-
Create IDP adapters
An IdP adapter is used to look up session information and provide user identification to PingFederate.
In PingFederate admin console menu, click on “IDP adapters” to create an IDP adapter.
We create two HTML IDP adapters that are used in the authentication policies. The instance names are
- Formidpadapter
- formNoBYID
The IDP adapter links the password credential validator and the HTML form templates used in the sign on flow. For example, “formidpadapter” uses “adpwdcredvalidator”.
The adapter is configured to use the following HTML templates.
These adapters are used in the authentication polices.
-
Configure Beyond Identity as the Identity Provider in Pingfederate
-
Create Beyond Identity IdP Connection
-
The image below is an example of an administrator view in PingFederate and illustrates the actions listed below to navigate to the IDP Connection creation:
- Sign into the PingFederate portal as an administrator.
- In the main PingFederate menu, select Authentications =>IdP Connections
- On the IdP Connections page, select ‘Create Connection’
- On the IDP Connection page, Connection type tab, select “Browser SSO Profiles” and protocol as “OpenID Connect”.
- On the Connection Options tab just select “Browser SSO” and click next.
- On the General Info tab add following information for each field described and leave empty or default value for remaining fields.
- Issuer: https://auth.byndid.com/v2
- Click on “Load Metadata” button next to the issuer field.
- You will see the “Metadata Successfully loaded” message next to the “Load Metadata” button.
- Connection Name: Beyond identity
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Company: “Beyond Identity Inc.”
- Error Message: “errorDetail.spSsoFailure” (Default value)
- Transaction Logging: “Standard” (Default value)
- Click on Save.
- On the Browser SSO tab click on “Configure Browser SSO” Button.
- On the IdP Connection->Browser SSO page, User-Session Creation tab click on “Configure Protocol Settings” button.
- On the IdP Connection->Browser SSO -> User-Session Creation page, Identity Mapping tab click on “Account Mapping” and click Next.
- On the IdP Connection->Browser SSO -> User-Session Creation page, Attribute Contract tab leave default value and click Next.
- On the IdP Connection->Browser SSO -> User-Session Creation page, Summary tab review changes and click on Save.
- On the IdP Connection->Browser SSO page, Protocol Settings tab click on “Configure Protocol Settings” button.
- On the IdP Connection->Browser SSO -> Protocol Settings page, OpenID Provider Info tab configure following fields and leave the remaining field empty or with default value.
- Scopes: openid
- Authorization Endpoint: https://auth.byndid.com/v2/authorize
- OpenID Connect login type: Code
- Authentication Scheme: Basic
- Token Endpoint: https://auth.byndid.com/v2/token
- JWKS URL: https://auth.byndid.com/v2/.well-known/jwks.json
- Leave remaining fields unchanged.
- Click Save
- Click next on IdP Connection->Browser SSO->Protocol Settings->Overrides tab.
- Click Save on IdP Connection->Browser SSO->Protocol Settings->Summary tab.
- On IdP Connection->Summary page note down “Redirect URI” information and provide this to Beyond Identity field team (value shown here is just an example).
-
Create Authentication Policy Contract
- In the main PingFederate menu, Authentication -> Policies
- Under Policy Contracts, select Create New Contract.
- On the Authentication Policy Contract page, Contract Info tab, add “Contract Name” as “bidcontract” and click “next” button.
- On the Authentication Policy Contract page, Contract Attribute tab, leave the default value of Attribute Contract as “Subject” and click “next” button.
- Verify information on the Authentication Policy contract page, Summary tab and click on "Save”.
-
Create Authentication Policy for BI admin console
- In the main PingFederate menu, select Authentication > Policies.
- Click on the “Add Policy” button.
- On the Authentication->Policies->Policy page make following changes to create a new policy.
Name: “bndid admin console authentication policy - rrlabs (example)
On the Authentication->Policies->Policy page click on Policy pulldown menu and select “Selectors” and then select “bndid admin console authentication rrlabs”. This is a “OAuth Client Set Authentication Selector” configured with client ID “BI admin portal (rrlabs-pingfederate)”
- For “No” branch select “Continue”.
- For “Yes” branch select “Idp adapters’ from pulldown menu. Then select “formidpadapter.
- Under “formidpadater” click “Rules” and configure the following rule
This will add another path in the policy tree with the name of “BEYOND IDENTITY”. Under this branch from the drop down choose “IDP connections” and select “RRlabs beyond identity”. For “Fail” branch, choose “Done”, for “SUCCESS” branch, select the local identity profile, “Beyond Identity”. For “formidpadapter”, “SUCCESS” branch. select the same local identity profile.
The local identity profile is created as below
Click on the “Local Identity Mapping” under “SUCCESS” branch of “BEYOND IDENTITY” and complete the contract fulfillment as below
Click on the “Local Identity Mapping” under “SUCCESS” branch of “formidpadapter” and complete the contract fulfillment as below. The subject is mapped to username from the adapter as an example.
The finished policy tree would look like below
-
Create Authentication Policy for BI user console
- In the main PingFederate menu, select Authentication > Policies.
- Click on the “Add Policy” button.
- On the Authentication->Policies->Policy page make following changes to create a new policy.
Name: “bndid user console authentication policy - rrlabs (example)
On the Authentication->Policies->Policy page click on Policy pulldown menu and select “Selectors” and then select “bndid user console authentication rrlabs”. This is a “OAuth Client Set Authentication Selector” configured with client ID “RR Labs BI user portal (rrlabs-pingfederate-user-portal)
- For “No” branch select “Continue”.
- For “Yes” branch select “Idp adapters’ from pulldown menu. Then select “formNOBYID” adapter.
- For “FAIL” branch under “forNOBYID” adapter, select “Done”. For “SUCCESS” branch, select “Policy Contracts” from the drop down and select “bidcontract”
- Click “Contract Mapping” and complete the mapping as shown below
The finished policy should look like below
-
Setup outbound [SCIM] provisioning
Objectives:
- Provision members of the group for example CN=Beyond Identity Users, CN=Users,DC=Beyondadfs,DC=com from the datastore configured with Pingfederate to Beyond Identity
- Provision nested group “Beyond Identity SCIM Groups” that has groups as members
- Requires PingFederate 10.3.4that supports SCIM 2.0 and SCIM PATCH update of groups
- Navigate to Applications->SP Connections. Click on Create Connection.
- Select Outbound Provisioning, Connection Template: No Template and Type:SCIM Connector click Next.
- Change the connection name to Beyond Identity Provisioning. Click Next.
- In the next screen we’ll configure the necessary values to connect to the SCIM server and select which users will be provisioned. Click “Configure Provisioning”.
- Configure the following configuration values into each field in SP Connections Configure Channels screen
- SCIM URL: https://api.byndid.com/scim
- SCIM Version: 2.0
- Authentication Method: OAuth 2 Bearer Token
- Access Token: Your Tenant API Token. Supplied by Beyond Identity when your tenant was created. Contact your PingFed administrator or BeyondIdentity support if you need to obtain this value.
- All other configuration fields can be customized based on your environment or remain set to their default values as shown below:
- In the following screen, we’ll create a Channel configuration. Channels poll a DataStore connection and run a filter against the existing accounts. The resulting users will be provisioned into your organization’s Beyond Identity environment. Click Create.
- Under Channel Name type BeyondIdentity provisioning Click Next.
- Select the DataStore connection “BeyondADFS” that will be used to select user accounts to be provisioned in your organization’s Beyond Identity account. Click Next.
- Configure the Source Settings as necessary for your DataStore connection. The settings shown below are good known defaults for an Active Directory connection. Click Next when done.
- Create “Beyond Identity SCIM Groups “using Active Directory users and Computers console. This must be done on the host that runs Active directory.
- Add the groups that needs to be synced as members of this group. For example, “Beyond Identity Users” and “Beyond Identity Admins” and other groups as per requirement
- The following screen configures which user accounts and groups the SCIM Connector will read from your directory to provision on your organization’s Beyond Identity account. The example filter provided will provision users added to a group called Beyond Identity users into the Beyond Identity cloud directory.
Configuration values:
Base DN |
Base DN where user accounts are located in the datastore. (e.g. DC=Beyondadfs,DC=com) |
Users | |
Group DN | |
Filter |
(required) LDAP filter for user accounts (e.g (memberOf=CN=Beyond Identity users,CN=Users,DC=Beyondadfs,DC=com) |
Nested Search | Select “nested search” |
Groups | |
Group DN | CN=Beyond Identity SCIM Groups, CN=Users,DC=beyondadfs,DC=com |
Filter | |
Nested Search | Click “NESTED SEARCH” |
Click Next when done.
- The following screen configures how Directory attributes for each account will be mapped to SCIM attributes as they will be provisioned in your organization’s BeyondIdentity account.
Make any necessary changes here and Click Next when done. RR
externalid is mapped to employeeID attribute. This can be mapped to any unique attribute from the source directory as per requirement for example, objectGUID, employee number … etc.
- The following screen is the Summary page. Review the settings below, change the Channel Status switch to Active and Click Done when finished.
- The following screen shows the newly created channel. Click Done.
- The following screen shows the completed Outbound Provisioning settings. Click Next.
- The following screen shows a summary of the settings we configured for the SCIM. Review the configuration, then change the switch at the top of the page to ON to activate the SCIM Connector. Click the Save button at the bottom of the page when done.
- This concludes the configuration. A new connection will be displayed under the Application->SP Connections screen as shown below:
The SCIM Connector’s channel will start provisioning user accounts at a frequency determined by the setting under System->Server->Protocol Settings->Outbound Provisioning-> Synchronization Frequency (secs).
- Check the PF_INSTALL_DIR/pingfederate/log/provisioner.log to troubleshoot any issues with provisioning
- Log into your organization’s Beyond Identity’s Administration Page.
Provisioned users are shown under the Users tab.
-
Setting up test users
-
User Enrollment
-
- To enable a user to be enrolled in the Beyond Identity experience, add the user to the Beyond Identity Users group in Active Directory.
- Each enabled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
- Each enabled user will be asked to follow the two steps below:
- Step 1: Download the Beyond Identity app (ByndID’s endpoint application) to their device.
- When the user clicks “View Download Options”, the Beyond Identity app downloads page will open in a browser with all supported platforms displayed.
- The user should download and install the Beyond Identity app on their device if they have not already.
- Now that the user has the app installed on their device, they should proceed to Step 2 as there is not, yet a user profile associated with the app on that device.
- Step 2: Register their profile in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Profile”, the user’s profile will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity app where they will see the progress of their profile registration. Once completed, the user will see a success message in the app.
- See example image below:
- Step 1: Download the Beyond Identity app (ByndID’s endpoint application) to their device.
-
User Authentication (Logging in)
- Each enrolled user can visit their any application supported by your SSO to sign into their corporate applications.
- The SSO-supported application will ask the user to enter their username.
- Once the username is submitted, a prompt to use or open “Beyond Identity” for authentication will display for the user.
- The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will display.
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of BeyondID App to return to their app after successful authentication.
-
User Deprovisioning
- To deprovision users from the Beyond Identity IdP or revert user back to password-based authentication, the following changes should be made:
- Remove the user from the “Beyond Identity Users” group in Active Directory.
-
Additional Pingfederate BI Integrations
PingFederate with BI as Step-up Authentication
PingFederate SCIM Server Guide
Comments
0 comments
Please sign in to leave a comment.