Introduction
This guide provides information on how to:
- Set up Beyond Identity as a passwordless authentication solution for your Idaptive environment.
- Set up Idaptive to use Beyond Identity as an Identity IDP to federate authentication.
- Set up Idaptive as the source of truth for user identities.
- Users will be created in Idaptive and as part of application provisioning SCIM provisioned to Beyond Identity tenant
Prerequisites
Ensure that you have the following:
- An Idaptive account with system admin privileges to:
- Create/Modify/Delete users in Idaptive tenant.
- Create/Configure tenant.
- Create/Configure OpenID Connect Web applications.
- Create/Configure Federation Partner.
Beyond Identity Configuration
Information to provide to the Beyond Identity Field Team:
Your Company Name | |
Your Idaptive tenant URL e.g., https://<customer_id>. my.idaptive.app/ |
|
Beyond Identity Admin Portal Application credentials SSO Client Id SSO Client Secret |
|
Beyond Identity User Portal Application credentials SSO Client Id SSO Client Secret |
This will be updated by customer directly in Beyond Identity Admin UI. |
(Optional) A logo for your corporation Logo requirements: 300 x 150 pixels or less File size of 10kb or less File types accepted: SVG, PNG, JPG, or GIF |
Information you will receive from the Beyond Identity Field Team
Beyond Identity IdP endpoint URLs: Issuer Authorization endpoint Token endpoint JWKS endpoint |
https://auth.byndid.com/v2/authorize |
Client ID | [From Beyond Identity Console] |
Client Secret | [From Beyond Identity Console] |
Tenant API Bearer Token for SCIM | [From Beyond Identity SE] |
Beyond Identity Org ID | [From Beyond Identity SE] |
SCIM API endpoint |
2. Idaptive Configuration
To configure Beyond Identity as the IdP in Idaptive, follow the steps below.
Step 2.1: Sign in as an administrator to Idaptive tenant
Sign into your Idaptive tenant with the admin identity and password.
Step 2.2: Create a custom suffix
“The login suffix is the part of the login name that follows the @ symbol. For example, if the login name is bob.jones@acme.com, the login suffix is “acme.com.”
In admin console navigate to Settings=>Customization=>Suffix=>Add
- Create a suffix (e.g. “passwordless.bi”). Whenever a user logs in with username@passwordless.bi, user will be federated to Beyond Identity for the passwordless experience.
- The login suffix is used to identify the federation partners handling authentication. By creating a login suffix, we can roll out the passwordless solution in a phased manner. Start with a few users who will login with this suffix.
Step 2.3: Create roles for BI admin console and BI user console in Idaptive
The applications are mapped to roles and users are added to the roles. A user can be a member of many roles. Idaptive provisions users per application.
Create role by navigating to Core Services=>Roles and click “Add Role”.
- Create BI_Admins role for BI admin console application.
- Create BI_Users role for BI user console application.
- Use the Members panel=>Add button to add users to the role.
Step 2.4: Setup Beyond Identity Admin Application in Idaptive
Sign in as administrator and Navigate to Settings=>Web Apps=>Add Web Apps.
Choose “custom” and “OpenId connect” Click Add
2.4.1 Settings panel
- Application ID: Use all lowercase, beyond_identity_admin_console
- Under Logo, click browser to upload Beyond Identity logo
- Note down the Application ID
2.4.2 Trust panel
- IDP configuration
- Copy the client ID. You need this in setting up admin console SSO in BI.
- OpenID connect client secret: Enter a secret value, you can generate your own. Copy the client secret, you need this in setting up admin console SSO in BI.
- Service Provider configuration
- Resource application URL: BI admin console URL for example
https://admin.byndid.com/auth/?org_id=<bi_tenant>
bi_tenant is your Beyond Identity tenant for example, acme.
- Click Add under “Authorized redirect URL” and enter
https://admin.byndid.com/auth/callback
2.4.3 Tokens panel
- Leave as defaults for the Policy panel, Account mapping panel, App Gateway panel, Linked applications panel, Workflow panel and secure Web sessions panel
2.4.4 Provisioning panel
- Leave as defaults for this panel. The members of BI_Admins role can login with password to access BI admin console. This can be also controlled by using BI RBAC.
2.4.5 Assign beyond_identity_admin_console application to BI_Admins role
- Navigate to Core Services=>Roles. Click on “BI_Admins” role
- Use “Assigned Applications” panel=>Click the Add button to assign applications to the role.
- Assign “beyond _identity_admin_console” application.
- For the BI_Users role, assign “beyond_identity_user_console”
Step 2.5: Setup Beyond Identity Admin Console SSO in BI
- Provide “Client ID” and “Client Secret” assigned to Admin console setup in Step 2.5, Trust panel configuration to Beyond Identity SE. The Beyond Identity team will collect and configure this value.
- Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.
- Name: Beyond-Identity-Admin-Console
- Client ID: <Use the value recorded in Step 2.5>
- Client Secret: <Use the value recorded in Step 2.5>
- Issuer:
https://<customer_id>.my.idaptive.app/<Application Id noted in Step 2.4.1>/
- Token Field: sub
- Token Field Lookup: external_id
- After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console.
Step 2.6: Setup Beyond Identity User Console Application in Idaptive
Sign in as administrator and Navigate to Settings=>Web Apps=>click Add Web Apps.
Choose “custom” and “OpenId connect” Click Add
2.6.1 Settings panel
- Application ID: Use all lowercase, beyond_identity_user_console
- Under Logo, click browser to upload Beyond Identity logo
- Note down the Application ID
2.6.2 Trust panel
- IDP configuration
- Copy the client ID. You need this in setting up admin console SSO in BI.
- OpenID connect client secret: Enter a secret value, you can generate your own. Copy the client secret, you need this in setting up admin console SSO in BI.
- Service Provider configuration
- Resource application URL: BI admin console URL for example
bi_tenant is your Beyond Identity tenant for example, acme.
- Click Add under “Authorized redirect URL” and enter
https://user.byndid.com/auth-user/callback
2.6.3 Tokens panel
- Leave as defaults for the Policy panel, Account mapping panel, App Gateway panel, Linked applications panel, Workflow panel and secure Web sessions panel
2.6.4 Provisioning panel
This panel is used to configure Beyond Identity SCIM endpoint URL and Beyond Identity tenant API token as the Bearer Token.
- Check Enable provisioning for this application
- Select Live Mode
- SCIM service url: https://api.byndid.com/scim
- Authorization Type:
- Select Authorization header
- Header type: Bearer Token
- Bearer Token: Get this token from BI SME
Click verify. This should connect to SCIM endpoint and gather configuration information to populate sync and deprovisioning options
- Role Mappings: Click “Add” and add BI_Users role with Bi_Users as the destination group. The Bi_Users group will be created on Beyond Identity Tenant
- Expand the “Provisioning script” and add the below script
if (source.Classification == 'User') {
var nameBits = source.DisplayName.split(' ');
destination.active = source.Status;
destination.externalId = source.Uuid;
destination.userName = source.Email;
destination.displayName = source.DisplayName;
destination.name = {
'familyName': nameBits[nameBits.length - 1],
'givenName': nameBits[0]
};
destination.emails = [{
'type': 'work',
'value': source.Email
}];
}
if (source.Classification == 'Group') {
var propArr = getSourcePropertyByName('name');
if (propArr && propArr.Length) {
destination.displayName = propArr[0];
}
destination.members = GetMemberList();
// destination.id = '';
}
- On demand application provisioning, can be triggered by navigating to Settings=>Users=>Other=>Outbound provisioning. Under “Provisioning enabled applications”, choose “All enabled applications” or a specific application. Click “Start Sync” button.
- You can also schedule synchronization daily for all enabled applications by specifying a start sync time.
2.6.5 Assign beyond_identity_user_console application to BI_Users role
- Navigate to Core Services=>Roles. Click on “BI_Users” role
- Use “Assigned Applications” panel=>Click the Add button to assign applications to the role.
- Assign “beyond _identity_user_console” application.
Step 2.7: Setup Beyond Identity User Console SSO in BI
- Once logged into Beyond Identity Admin UI, click on Settings -> SSO -> User Console SSO Integration and click on Edit.
- Please configure the following fields for User Console SSO Integration.
- Name: Beyond-Identity-User-Console
- Client ID: <Use the value recorded in step 2.7>
- Client Secret: Use the value recorded in step 2.7>
- Issuer:
- https://<customer_id>.my.idaptive.app/<Application ID noted in Step 2.6.1>/
- Token Field: sub
- Token Field Lookup: external_id
- Click on Save Changes.
3. Configuring Beyond Identity as the IDP federation partner in Idaptive
In Idaptive, Business Partner Federation establishes a trust relationship between the Service Provider (SP) and Identity Provider (IDP) using SAML tokens.
To add a partner navigate to Settings=>Users=>Partner Management and click on Add.
Set up the partner with the following configuration
3.1 Settings panel
- Partner Name: e.g. Beyond Identity
- Federation Type: SAML 2.0
- Federation Domain: suffix created earlier, e.g., “passwordless.bi”
- Click “Save”
3.2 Group Mappings panel
- Leave as default
3.3 Outbound Metadata panel
Click “Option2:Download Service Provider Metadata”. Give this file to BI SME.
Click “Save”
3.4 Inbound Metadata panel
Skip for now and after completing Step 4.1.1, you can come back to complete this step. The file required for this step is downloaded in Step 4.1.1. Choose “Option 2: Upload IDP configuration from a file” as shown below
3.5 Authentication panel
Map federated user to existing directory user: Required
Federated user mapping attribute: userprincipalname
Directory user mapping attribute: Uuid
Preferred Directory Service: CyberArk Cloud Directory
4. Setup Beyond Identity Console for User Authentication
- Once logged into Beyond Identity Admin Console UI, click on “Integrations” tab and then click on “SAML Connections”.
4.2 Click on “Add SAML Connection” and update the fields as following:
- Name: Beyond Identity IDP
- Click “Upload XML” and upload file downloaded in Step 3.3
- Optional Attributes: Name: UserPrincipalname, Nameformat: unspecified, Value: ExternalId
- Optional Attributes:
Name: EmailAddress, Nameformat: unspecified, Value: Email
- Optional Attributes:
Name: DisplayName, Nameformat: unspecified, Value: UserName
- Click on “Save Changes”
4.3 In BI Admin Console, Navigate to Integrations=>SAML Connections=>” Beyond Identity IdP”. Click “Download Metadata” button. This metadata file will be used in setting up a partner in Idaptive.
5. Setting Beyond Identity as MFA
Idaptive as of now only supports a restricted list of MFA providers and do not support integrating custom third party MFA providers
6. Setting up test users
6.1 User Enrollment
6.1.1 To enroll a user in the Beyond Identity experience
- Create a user using Idaptive admin console
- Add the user to BI_Users role for assigning BI user console or add to BI_Admin for assigning BI admin console.
- The application provisioning should provision the user to BI tenant
- Provisioned users will get an enrollment mail from BI
- Enrolled users will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
6.1.3 Each enrolled user will be asked to follow the two steps below:
- Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not, yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see the credentials in the Authenticator.
- See example image below:
6.2 User Authentication (Signing in)
- Access Idaptive tenant URL for example, https://<customer_id>.my.idaptive.app/my
- Login with the federated user suffix, e.g. regu.rajaiah@beyondidentity.com, click next
- This will trigger the passwordless experience with BI authenticator and show Idaptive user portal listing the assigned applications for the user
6.3 User Deprovisioning
To deprovision a user from the Beyond Identity experience, remove the user from the appropriate role in Idaptive
Comments
0 comments
Please sign in to leave a comment.