Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your OneLogin environment.
- Set up OneLogin to use Beyond Identity as an Identity Provider.
Prerequisites
Ensure that you have the following:
- A OneLogin account with “Superadmin” privileges.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your OneLogin Instance URL e.g. https://[your-domain].onelogin.com |
|
Beyond Identity Admin Console Application credentials SSO Client Id SSO Client Secret |
|
Beyond Identity User Console Application credentials SSO Client Id SSO Client Secret |
This will be updated by the customer directly using the Beyond Identity Admin Console. |
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint Userinfo endpoint |
https://auth.byndid.com/v2/authorize |
Client ID | [From Beyond Identity Console] |
Client Secret | [From Beyond Identity Console] |
SCIM API Bearer Token | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
SCIM API endpoint |
OneLogin Configuration
To configure Beyond Identity as the IdP in OneLogin, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users.
Step 3: Setup Beyond Identity Admin Console Application in OneLogin
- Click on Applications -> Applications -> Add Application
- In Search window type “Beyond Identity Admin Console”
- Select App with title “Beyond Identity Admin Console”.
- Click Save.
- In the “Configuration” section, update following fields
- Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
- Redirect URI’s: https://admin.byndid.com/auth/callback
- In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
Step 4: Setup Admin Console Access
- Provide “Client ID” and “Client Secret” assigned to Admin Console Application in OneLogin to Beyond Identity SE. The Beyond Identity team will collect and populate those values using APIs.
- After these values are provisioned, login and confirm that admin has access to Beyond Identity Admin Console.
Step 5: Setup Beyond Identity User Console Application in OneLogin
- Click on Applications -> Add Application
- In Search window type “Beyond Identity User Console”
- Select App with title “Beyond Identity User Console”.
- Click Save.
- In the “Configuration” section, update following fields
- Beyond Identity Tenant: <Beyond_Identity_Tenant_Name>
- Redirect URI’s: https://user.byndid.com/auth-user/callback
- API Connection > API Status > Enabled
- SCIM Bearer Token: <Provided_by_Beyond_Identity>
- In the “SSO” section, note down the SSO “Client ID” and “Client Secret” field and provide it to the Beyond Identity team.
- In the “Provisioning” section, select “Enable provisioning”
Step 6: Setup Beyond Identity User Portal Authentication
- Once logged into Beyond Identity Admin Console, click on Settings.
- Click on “SSO” tab > User Console SSO Integration > Add OIDC SSO
- Update Name, Client Id, Client Secret (from the previous step) and Issuer.
- Enter Token Field as “sub” and select Token Field Lookup as “exteral_id”.
- Click “Save Changes”.
Step 7: Setup Beyond Identity for User Authentication:
- Once logged into Beyond Identity Admin Console, click on the “Integrations” tab and then click on OIDC Clients.
- Click on “Add OIDC Client” and fill in Name, Redirect URI field and leave the default value for Token Signing Algorithm and Auth Method as shown below.
- Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. You will be using these values in the next step.
Step 7: Configure Beyond Identity as the Identity Provider
- In the main OneLogin menu, select “Authentication”.
- In the “Authentication” drop-down, select “Trusted IdPs”.
- On the “Trusted IdPs” page, click “New Trust”.
- Enter the following information:
- Name: Beyond Identity
- Enable “Trusted IDP”
- Enable “Show in Login panel”
- Login icon:
https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png
- Issuer: https://auth.byndid.com/v2
- Enable “Sign users into OneLogin”
- Enable “Sign users into additional applications”
- Enable “Send Subject Name ID or Login Hint in Auth Request”
- User Attribute Value: {tidp.sub}
- User Attribute Mapping: Email
- Protocol: OAUTH
- Authentication Endpoint: https://auth.byndid.com/v2/authorize
- Token Endpoint Auth Method: BASIC
- Token endpoint: https://auth.byndid.com/v2/token
- User Information Endpoint: https://auth.byndid.com/v2/userinfo
- Scopes: openid
- Client id: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Client Secret: (Paste Client id copied from Beyond Identity Admin Console in previous step.)
- Click “Save”
Step 10: Set up Routing Rules
- Set up the IdP as the default Trusted IdP by selecting the IdP and clicking on “More Actions”.
- Otherwise, click on individual users, and select the IdP under the “Authentication” tab.
Step 11: Create a Role
- Create a Role “Beyond Identity” and add the 2 applications “Beyond Identity Admin Console” and “Beyond Identity User Console” to it.
- Click on Users > Roles > New Role
- Name it “Beyond Identity”
- Click on the 2 apps listed under “Select Apps to Add”
- Click on “Save”
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign the user to the “Beyond Identity” Role.
- Click on “Users”
- Select a user
- Click on “Applications”
- Click on “Beyond Identity” Role to select it.
- Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
- Each enrolled user will be asked to follow the two steps below:
- Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
- Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their OneLogin instance or any application supported by your SSO to sign into their corporate applications.
- The OneLogin application or SSO-supported application will ask the user to click on the “Beyond Identity” icon (sign in with Beyond Identity).
- Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Role.
- Click on “Users”
- Select a user
- Click on “Applications”
- Click on “Beyond Identity” Role to deselect it.
Comments
0 comments
Please sign in to leave a comment.