Skip to main content

Integration Guide for OneLogin

Ayesha Sultana
  • Updated

Introduction

This guide provides information on how to:

  • Set up Beyond Identity as a passwordless authentication solution for your OneLogin environment.
  • Set up OneLogin to use Beyond Identity as an Identity Provider.

 

Prerequisites

Ensure that you have the following:

  1. A OneLogin account with “Superadmin” privileges.

 

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

 

Your Company Name  

Your OneLogin Instance URL

e.g. https://[your-domain].onelogin.com

  

Beyond Identity Admin Console Application credentials

SSO Client Id

SSO Client Secret

  

Beyond Identity User Console Application credentials

SSO Client Id

SSO Client Secret

 This will be updated by the customer directly using the Beyond Identity Admin Console.

(Optional) A logo for your corporation

Logo requirements:

300 x 150 pixels or less

File size of 10kb or less

File types accepted: SVG, PNG, JPG, or GIF

  




Information you will receive from the Beyond Identity Field Team

Beyond Identity IdP endpoint URLs:

Issuer

Authorization endpoint

Token endpoint

Userinfo endpoint

https://auth.byndid.com/v2

https://auth.byndid.com/v2/authorize

https://auth.byndid.com/v2/token

https://auth.byndid.com/v2/userinfo
Client ID [From Beyond Identity Console]
Client Secret [From Beyond Identity Console]
SCIM API Bearer Token [From Beyond Identity SE]
Beyond Identity Org ID [From Beyond Identity SE]
SCIM API endpoint

https://api.byndid.com/scim/v2/Users

https://api.byndid.com/scim/v2/Groups



OneLogin Configuration

To configure Beyond Identity as the IdP in OneLogin, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.

Step 3: Setup Beyond Identity Admin Console Application in OneLogin

  1. Click on Applications -> Applications -> Add Application
  2. In Search window type “Beyond Identity Admin Console”
  3. Select App with title “Beyond Identity Admin Console”.

 

Graphical user interface, application, Teams Description automatically generated




  1. Click Save.
  2. In the “Configuration” section, update following fields
    1. Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
    2. Redirect URI’s: https://admin.byndid.com/auth/callback
  3. In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.

 

Step 4: Setup Admin Console Access

  1. Provide “Client ID” and “Client Secret” assigned to Admin Console Application in OneLogin to Beyond Identity SE. The Beyond Identity team will collect and populate those values using APIs. 
  2. After these values are provisioned, login and confirm that admin has access to Beyond Identity Admin Console.

 

Step 5: Setup Beyond Identity User Console Application in OneLogin

  1. Click on Applications -> Add Application
  2. In Search window type “Beyond Identity User Console”
  3. Select App with title “Beyond Identity User Console”.






Graphical user interface, application Description automatically generated

 

  1. Click Save.
  2. In the “Configuration” section, update following fields
    1. Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
    2. Redirect URI’s: https://user.byndid.com/auth-user/callback
    3. API Connection > API Status > Enabled
    4. SCIM Bearer Token: <Provided_by_Beyond_Identity>
  3. In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
  4. In the “Provisioning” section, select “Enable provisioning”

 

Step 6: Setup Beyond Identity User Portal Authentication

  1. Once logged into Beyond Identity Admin Console, click on Settings.

 

Graphical user interface, text, application, email Description automatically generated

 

  1. Click on “SSO” tab > User Console SSO Integration > Add OIDC SSO

 

Graphical user interface, application Description automatically generated

 

  1. Update Name, Client Id, Client Secret (from the previous step) and Issuer.
  2. Enter Token Field as “sub” and select Token Field Lookup as “exteral_id”.
  3. Click “Save Changes”.

 

Step 7: Setup Beyond Identity for User Authentication:

  1. Once logged into Beyond Identity Admin Console, click on the “Integrations” tab and then click on OIDC Clients.
  2. Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.

 

Graphical user interface, text, application Description automatically generated

 

  1. Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.

A picture containing text Description automatically generated









Step 7: Configure Beyond Identity as the Identity Provider

  1. In the main OneLogin menu, select Authentication.
  2. In the “Authentication” drop-down, select “Trusted IdPs”.
  3. On the “Trusted IdPs” page, click “New Trust”. 

 

Graphical user interface, application, Teams Description automatically generated

  1. Enter the following information:
    1. Name: Beyond Identity
    2. Enable “Trusted IDP”
    3. Enable “Show in Login panel”
    4. Login icon: 

https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png

  1. Issuer: https://auth.byndid.com/v2
  2. Enable “Sign users into OneLogin”
  3. Enable “Sign users into additional applications”
  4. Enable “Send Subject Name ID or Login Hint in Auth Request”
  5. User Attribute Value: {tidp.sub}
  6. User Attribute Mapping: Email
  7. Protocol: OAUTH
  8. Authentication Endpoint: https://auth.byndid.com/v2/authorize
  9. Token Endpoint Auth Method: BASIC
  10. Token endpoint: https://auth.byndid.com/v2/token
  11. User Information Endpoint: https://auth.byndid.com/v2/userinfo
  12. Scopes: openid
  13. Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
  14. Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
  15. Click “Save”







Step 10: Set up Routing Rules

  1. Set up the IdP as the default Trusted IdP by selecting the IdP and clicking on “More Actions”.
  2. Otherwise, click on individual users, and select the IdP under the “Authentication” tab.

 

Graphical user interface, application, Teams Description automatically generated



Step 11: Create a Role

  1. Create a Role “Beyond Identity” and add the 2 applications “Beyond Identity Admin Console” and “Beyond Identity User Console” to it.
    1. Click on Users > Roles > New Role
    2. Name it “Beyond Identity”
    3. Click on the 2 apps listed under “Select Apps to Add”
    4. Click on “Save”

Graphical user interface, application, Teams Description automatically generated



 

Setting up test users

 

User Enrollment

  1. To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Role.
    1. Click on “Users”
    2. Select a user
    3. Click on “Applications
    4. Click on “Beyond Identity” Role to select it.

 

  1. Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
    1. See image below for reference:

 

Graphical user interface, text, application, email, Teams Description automatically generated

 

  1. Each enrolled user will be asked to follow the two steps below:
    1. Step 1: Download the Beyond Identity Authenticator to their device.
      1. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
    2. Step 2: Register their Credential in the Beyond Identity IdP.
      1. By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator
      2. See example image below:

 

Graphical user interface, application, Word Description automatically generated

 

User Authentication (Signing in)

  1. Each enrolled user can visit their OneLogin instance or any application supported by your SSO to sign into their corporate applications. 
  2. The OneLogin application or SSO-supported application will ask the user to click on the “Beyond Identity” icon (sign in with Beyond Identity).
    1. Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.

 

User Deprovisioning

  1. To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Role.
    1. Click on “Users”
    2. Select a user
    3. Click on “Applications
    4. Click on “Beyond Identity” Role to deselect it.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk