Introduction
This guide provides information on how to:
- Set up ARISTA Cloud for integration with OKTA SSO & Beyond Identity IdP as the first factor. (L3 Authentication)
Prerequisites
Ensure that you have the following:
- An Okta account with “Super” or “Organization” admin privileges to:
- ARISTA network admin account.
okta Configuration for provisioning users in beyond identity
Step 1: Add Beyond Identity User Group
- Click on Directory-> Group
- Click on “Add Group”
-
Select fields as shown in the following image:
- Name: “Beyond Identity”
- Description: “Beyond Identity Users Group”
- Click “Add Group”.
Step 2: Setup Beyond Identity Admin Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity Admin”
- Select App with title “Beyond Identity Admin Portal”.
- Click Add.
uni
-
In the “General Settings” update following fields
- Application Label: “Beyond Identity Admin Portal”
- Click Done.
- In the Assignment Tab Assign “Admins” to this Application.
-
In the “Sign On” tab update following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and provide it to Beyond Identity team.
Step 3: Setup Admin Portal Access
- Provide “Client ID” and “Client Secret” assigned to Admin UI Application in Okta to Beyond Identity SE. Beyond Identity team will collect and configure this value.
-
Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console while updating Admin Console Configuration.
- Name: Okta OIDC Integration
- Client ID: <Use the value recorded in the previous step>
- Client Secret: <Use the value recorded in the previous step>
- Issuer: https://<okta-tenant-id>.okta.com (Provided by the customer as Login URL)
- Token Field: sub
- Token Field Lookup: external_id
- After these values are provisioned, customer should login and confirm that admin has access to Beyond Identity Console.
Step 4: Setup Beyond Identity User Portal Application in Okta
- Click on Applications -> Add Application
- In Search window type “Beyond Identity User”
- Select App with title “Beyond Identity User Portal”.
- Click Add.
-
Now you will see a pop up with following information.
- General Settings
- Application Label: “Beyond Identity User Portal”
- Click Done.
- In the Assignment Tab, click on “Assign” and from the drop down the select “Assign to Groups”. Click on “Assign” button for the “Beyond Identity” group.
-
In the “Sign On” tab update following fields.
- Click on “Edit” for settings.
- Update Org ID field with Organization Id provided by Beyond Identity team.
- Note down SSO “Client ID” and “Client Secret” field and use it in the next step.
-
In the “Provisioning” tab update the following fields.
- Click on “Configure API Integration”.
- Then click on “Enable API Integration”.
- In the API token field paste the API token provided by Beyond Identity team. Then click on “Test API Credentials”.
- After seeing message “Beyond Identity User Portal was verified Successfully”. Save the configuration.
-
After setting up SCIM in the above step, make following changes in the “Provisioning” Tab.
- In the “Provisioning to App” section, click on Edit.
- For the “Create Users”, “Update User Attributes” and “Deactivate Users” click on Enable.
- Save the changes by clicking on “Save”.
-
Make following changes in the “Provisioning” Tab. (This is only applicable to Okta Production instances and not to Developer or Preview instances.
- In the “Integration” section, click on Edit.
- Select “Import Groups” if it is not enabled by default.
- Save the changes by clicking on “Save”.
Arista Configuration for integration with okta sso & BI idp
L3 Based WLAN Authentication
- Login to Arista Cloudvision WIFI
- Click on Configure🡪Wifi🡪Add SSID
- SSID Name: <SSID name> (Comes from customer)
- Profile Name: <Profile Name> (Comes from customer)
- Select SSID Type: Guest
- Click on the Security Tab🡪Select Security Level for Associations🡪Open
- No configuration needed on Networks tab for BI
- Click Captive Portal and from the drop down menu select Cloud Hosted.
- Under Websites that users can access before login add auth.byndid.com and app.byndid.com as below.
- Under Authentication Plugins and Quality of Service🡪 Select Login Method for gues Wifi users.
- Click Social 🡪 Okta
- Under Okta Settings configure client ID and Client secret and organizational domain.
Setting up test users
User Enrollment
- To enroll a user in the Beyond Identity experience, assign user to the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select “Beyond Identity” group.
- Click on “Manage People”.
- Click on “+” sign next to user’s name in column titled “Not Members”.
- Click Save.
-
Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.
- See image below for reference:
-
Each enrolled user will be asked to follow the two steps below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
- When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
- Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.
- Step 2: Register their Credential in the Beyond Identity IdP.
- By clicking on Step 2 “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator.
- See example image below:
-
Step 1: Download the Beyond Identity Authenticator to their device.
User Authentication (Signing in)
- Each enrolled user can visit their Beyond Identity Admin Portal at https://admin.byndid.com
- The Okta application or SSO-supported application will ask the user to enter their username/password
- Click on the WiFi SSID and experience the Beyond Identity Passwordless secure logins.
User Deprovisioning
- To deprovision a user from the Beyond Identity experience, remove user from the “Beyond Identity” Group.
- Click on Directory -> Groups
- Select “Beyond Identity” group.
- Click on “Manage People”.
- Click on “-” sign next to user’s name in column titled “Members”.
- Click Save.
Comments
0 comments
Please sign in to leave a comment.