Introduction

This guide provides information on how to:

• Set up Beyond Identity as a passwordless authentication solution for your OneLogin environment.
• Set up OneLogin to use Beyond Identity as an Identity Provider.

 

Prerequisites

Ensure that you have the following:

 

1. A OneLogin workforce SKU Advanced or Pro bundle. This SKU is required for setting up provisioning and configuring the BI authenticator as an authentication factor.
2. A OneLogin account with “Superadmin” privileges.

 

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

 

Information you will receive from the Beyond Identity Field Team

OneLogin Configuration

To configure Beyond Identity as the IdP in OneLogin, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.

Step 3: Setup Beyond Identity Admin Console Application in OneLogin

1. Click on Applications -> Applications -> Add Application
2. In Search window type “Beyond Identity Admin Console”
3. Select App with title “Beyond Identity Admin Console”.

 

4. Click Save.
5. In the “Configuration” section, update following fields
   1. Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
   2. Redirect URI’s: https://admin.byndid.com/auth/callback
6. In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.

 

Step 4: Setup Admin Console Access

1. Provide “Client ID” and “Client Secret” assigned to Admin Console Application in OneLogin to Beyond Identity SE. The Beyond Identity team will collect and populate those values using BI admin console 
2. After these values are provisioned, login and confirm that admin has access to Beyond Identity Admin Console.

 

Step 5: Setup Beyond Identity User Console Application in OneLogin

1. Click on Applications -> Add Application
2. In Search window type “Beyond Identity User Console”
3. Select App with title “Beyond Identity User Console”.

 

4. Click Save.
5. In the “Configuration” section, update following fields
   1. Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
   2. Redirect URI’s: https://user.byndid.com/auth-user/callback
   3. API Connection > API Status > Enabled
   4. SCIM Bearer Token: <Provided_by_Beyond_Identity>
6. In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
7. In the “Provisioning” section, select “Enable provisioning”

 

Step 6: Setup Beyond Identity User Portal Authentication

1. Once logged into Beyond Identity Admin Console, click on Settings.

 

 

2. Click on “SSO” tab > User Console SSO Integration > Add OIDC SSO

 

 

3. Update Name, Client Id, Client Secret (from the previous step) and Issuer.
4. Enter issuer as “https://[your_domain].onelogin.com/oidc/2”
5. Enter Token Field as “sub” and select Token Field Lookup as “external_id”.
6. Click “Save Changes”.

 

Step 7: Setup Beyond Identity for User Authentication:

1. Once logged into Beyond Identity Admin Console, click on the “Integrations” tab and then click on OIDC Clients.
2. Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.

Enter https://[your_domain].onelogin.com/access/idp as the Redirect URIs

 

 

3. Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.

Step 8: Configure Beyond Identity as the Identity Provider

1. In the main OneLogin menu, select “Authentication”.
2. In the “Authentication” drop-down, select “Trusted IdPs”.
3. On the “Trusted IdPs” page, click “New Trust”. 

 

4. Enter the following information:
   1. Name: Beyond Identity
   2. Scroll down and select Protocol: OAUTH
   3. Enable “Trusted IDP” [enable this only after selecting the Protocol OAUTH]
   4. Enable “Show in Login panel”
   5. Login icon: 

https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png

6. Issuer: https://auth.byndid.com/v2
7. Enable “Sign users into OneLogin”
8. Enable “Sign users into additional applications”
9. Enable “Send Subject Name ID or Login Hint in Auth Request”
10. User Attribute Mapping: Email
11. Authentication Endpoint: https://auth.byndid.com/v2/authorize
12. Token Endpoint Auth Method: POST
13. Token endpoint: https://auth.byndid.com/v2/token
14. User Information Endpoint: https://auth.byndid.com/v2/userinfo
15. Scopes: opened email
16. Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
17. Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
18. Click “Save”

Step 9: Set up Routing Rules

1. Set up the IdP as the default Trusted IdP by selecting the IdP and clicking on “More Actions”.
2. Otherwise, click on individual users, and select the IdP under the “Authentication” tab.

 

Step 10: Set up BI as the Trusted IDP for specific groups

BI as the trusted IDP  can be assigned at the user level or based on a mapping condition. The mapping condition can be based on any user attribute, for example department, role, or group, etc. The example below shows creating a mapping based on a condition “department=testing”. If the condition matches, the group, and user trusted IDP is set.

1. Login to onelogin admin console as administrator. Navigate to Users > Groups. Click on “New Group”.

 

2. Enter “bi-trusted-idp” as the name and click “Save”.

3. Navigate to Users > Mapping. Click on “New Mapping”.

Enter “bi-trusted-idp” as the name of the mapping. In the conditions drop-down, choose “department”. In the middle drop-down, choose “equals”. Enter “testing” in the text box under “Conditions”.

 

 

Under “Actions”, Choose “Set group” in the first drop-down and choose “bi-trusted-idp” in the second drop-down. Click on the sign to add a second action. Choose “Set user Trusted IdP” in the first drop down and choose the BI IDP you set up in step 8. Click “Save”

Step 11: Create a Role

1. Create a Role “Beyond Identity” and add the 2 applications “Beyond Identity Admin Console” and “Beyond Identity User Console” to it.
   1. Click on Users > Roles > New Role
   2. Name it “Beyond Identity”
   3. Click on the 2 apps listed under “Select Apps to Add”
   4. Click on “Save”

Setting BI as an onelogin authentication factor [to be used as MFA] - Optional

Step 1: Setup Beyond Identity OIDC client for onelogin MFA:

1. Once logged into Beyond Identity Admin Console, click on the “Integrations” tab and then click on OIDC Clients.
2. Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.

Enter https://nopwd.onelogin.com/mfa/v1/idp/auth_callback as the Redirect URIs

 

 

3. Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.

Step 2: Configure Beyond Identity as the Identity Provider

1. In the main OneLogin menu, select “Authentication”.
2. In the “Authentication” drop-down, select “Trusted IdPs”.
3. On the “Trusted IdPs” page, click “New Trust”. 

 

4. Enter the following information:
   1. Name: Beyond Identity
   2. Scroll down and select Protocol: OAUTH. 
   3. Enable “Trusted IDP” [enable this only after selecting the Protocol OAUTH]
   4. Issuer: https://auth.byndid.com/v2
   5. Enable “Sign users into OneLogin”
   6. Enable “Sign users into additional applications”
   7. Enable “Send Subject Name ID or Login Hint in Auth Request”
   8. User Attribute Value: {tidp.sub}
   9. User Attribute Mapping: Username
   10. Authentication Endpoint: https://auth.byndid.com/v2/authorize
   11. Token Endpoint Auth Method: POST
   12. Token endpoint: https://auth.byndid.com/v2/token
   13. User Information Endpoint: https://auth.byndid.com/v2/userinfo
   14. Scopes: openid
   15. Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
   16. Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
   17. Click “Save”

 

Step 3: Create BI as an authentication factor in onelogin

Login to Onelogin admin console as administrator. 

Navigate to Security > Authentication Factors

 

Click on “New Auth Factor”

In the “Select a Strong Authentication Factor” screen, click on “Trusted Idp as a Factor”

 

In the “Add Trusted IdP as Factor” screen, Enter a description for user description and choose the trusted IDP created in step 1 above. 

Click on “Save”

 

 

Step 4: Create onelogin security policy with MFA factor set to BI trusted IDP

Login to onelogin admin console as administrator. 

Navigate to Security > Policies. 

Click on “New User Policy”

 

 

Enter “bi-second-factor” as the name of the policy. In “Login Flow” blade, choose “Standard”

 

 

In the “MFA” blade, select “OTP Auth required” and “Trusted IDP as factor” and others as shown below.

 

 

Under “Enforcement settings”, choose “All users” for “OTP required for” and “At every login” for “OTP required at”.

Click on “Save”

 

Step 4: Create onelogin mapping to map security policy with MFA factor to a group

The security policy can be assigned at the user level or a group level. Group level assignment is recommended.

Login to Onelogin admin console as administrator. 

Navigate to Users > Groups. 

Click on “New Group”

 

Enter a name for the group, for example “bi-second-factor”. Under “Security policy” drop down choose “bi-second-factor”. Click “Save”

 

Members of the “bi-second-factor” group when logging in will be challenged for username/password as the first factor and BI Trusted IdP as the second factor.

 

 

Setting up test users

 

User Enrollment

1. To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Role.
   1. Click on “Users”
   2. Select a user
   3. Click on “Applications”
   4. Click on “Beyond Identity” Role to select it.

 

2. Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
   1. See image below for reference:

 

 

3. Each enrolled user will be asked to follow the two steps below:
   1. Step 1: Download the Beyond Identity Authenticator to their device.
      1. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
   2. Step 2: Register their Credential in the Beyond Identity IdP.
      1. By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator. 
      2. See example image below:

 

 

User Authentication (Signing in)

1. Each enrolled user can visit their OneLogin instance, or any application supported by your SSO to sign into their corporate applications. 
2. The OneLogin application or SSO-supported application will ask the user to click on the “Beyond Identity” icon (sign in with Beyond Identity).
   1. Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.

 

User Deprovisioning

1. To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Role.
   1. Click on “Users”
   2. Select a user
   3. Click on “Applications”
   4. Click on “Beyond Identity” Role to deselect it.