Integrate with Okta

Integrate Beyond Identity with Okta. Here you will find:

  • The access needed in Okta to perform the integration.

  • The information required to integrate Beyond Identity with a customer's Okta environment.

  • A guide on how to perform the integration.

Table of Contents:


Prerequisites:


Okta “Super” or “Organization” admin access required

The configurations performed in Okta will require a “Super” or “Organization” admin user to be on the call to access and edit the following parameters:

  1. Add/edit attributes and their mappings in Directory → Profile Editor.

  2. Add/edit Identity Providers in Security → Identity Providers.

  3. Add/edit routing rules in Security → Identity Providers → Routing Rules.

  4. Add/edit Event Hooks in Workflow → Event Hooks (Optional).


OpenID Connect IdP and Routing Rules enabled for the account

OpenID Connect IdP and Routing Rules will need to be enabled for this account as Beyond Identity will need to be set up as the identity provider in Okta and needs to use routing rules.

Ensure the OpenID Connect IdP is available on the SecurityIdentity Providers page in the Add Identity Provider menu. If the OpenID Connect IdP option is missing, contact Okta support to enable OpenID Connect IdP.

Ensure the Routing Rules tab is available on the SecurityIdentity Providers page. If the Routing Rules tab is missing, contact Okta support to enable the Routing Rules on the Identity Provider page.

Okta Support Ticket Sample

  1. Navigate to Okta’s Open Case Center at https://support.okta.com/help/s/opencase

  2. Create a case with the following information:

    1. Request Type: Okta org request

    2. Subject: Enable OIDC Provider Type

    3. Detailed Description:
      Please enable the "ODIC IdP" type on my Okta organization. Also ensure that OIDC is enabled as a login method.
      My Organization Id is: <ORG_ID>
      This would normally show up under:
      "Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"

    4. Steps to reproduce:
      This would normally show up under:
      "Security > Identity provider > Add Identity Provider > Add OpenID Connect IdP"

    5. Scope: Whole organization affected

    6. Business impact:
      Unable to enable integration

    7. Priority: P3 - Non critical issue

    8. Okta org: Select from the list the organizations where Beyond Identity will be integrated

    9. Case email: Your own email

    10. Phone number: Your phone number

    11. Add contact to team: <Can be left empty>

    12. Add attachment: <Not required>

      See the image below for reference:

 


If you would like your authenticator to be branded with your company logo, Beyond Identity will need a logo with the following requirements:

  1. 300 x 150 pixels or less

  2. File size of 10kb or less

  3. File types accepted: SVG, PNG, JPG, GIF


Okta URL

The Beyond Identity team will need your company Okta URL to configure with Beyond Identity
e.g. https://[your-domain].okta.com


Beyond Identity Applications in Okta

The Beyond Identity team will need the following information from your “Super” or “Organization” admin:

  1. BI Admin Portal Application credentials (SSO Client ID and SSO Client Secret)

  2. BI User Portal Application credentials (SSO Client ID and SSO Client Secret)


Okta API Token for Beyond Identity Services

The Beyond Identity team will need the API token created in Okta for the Beyond Identity services to make calls to your Okta instance.


Okta Configuration

To configure Beyond Identity as the IdP in Okta, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity authentication for users.

Step 1: Add Beyond Identity attribute

  1. Sign in to the Okta portal as an administrator.

  2. In the main Okta menu, select Directory

  3. In the “Directory” drop-down menu, select Profile Editor

     

     

  4. Find your “Okta” profile and select the Edit Profile action denoted

  5. Under the profile editor, you will see an action to Add Attribute

     

  6. Click on Add Attribute

    1. Select fields as listed:

      1. Data Type: Boolean

      2. Display Name: Beyond Identity Registration Status

      3. Variable Name: byndidRegistered

      4. Description: Beyond Identity Registration Status

      5. Click Save

        See the image below for reference:

         

  7. If you have multiple profile masters (applicable for AD mastered users), then perform the following steps:

    1. Click on the edit button for the byndidRegistered attribute in the Okta profile

    2. For the Master Priority field, select Inherit from Okta from the pull-down menu

    3. Click on Save Attribute

Step 2: Add Beyond Identity User Group

  1. Click on Directory → Group

  2. Click on Add Group

  3. Fill out the fields with values:

    1. Name: Beyond Identity

    2. Description: Beyond Identity Users Group

  4. Click Add Group

    See the image below for reference:

Step 3: Setup the Beyond Identity Admin Portal Application

  1. Click on Applications → Add Application

  2. In the search window type Beyond Identity Admin

  3. Select the application with the title Beyond Identity Admin Portal

  4. Click Add

     

  5. In the General Settings page, update the following fields:

    1. Application Label: Beyond Identity Admin Portal

    2. Click Done

  6. In the Assignment tab, assign “Admins” to this application

  7. In the Sign On tab, click on the Edit button to edit settings

  8. Update the Org ID field with the organization ID provided by the Beyond Identity team

  9. Give the SSO Client ID and Client Secret fields to the Beyond Identity team noting that these are for Beyond Identity Admin Portal

Step 4: Set up Beyond Identity Admin Portal Access

  1. Provide the SSO Client ID and Client Secret assigned to Admin UI Application (from Step 3) in Okta to the Beyond Identity sales engineer/support engineer

    1. The Beyond Identity team will collect and populate those values using APIs.

  2. After these values are provisioned, login and confirm that your assigned administrator has access to Beyond Identity Admin portal

Step 5: Set up the Beyond Identity User Portal Application

  1. Click on Applications → Add Application

  2. In the search window type Beyond Identity User

  3. Select the application with the title Beyond Identity User Portal

  4. Click Add

     

  5. In the General Settings update following fields

    1. Application Label: Beyond Identity User Portal

    2. Click Done

  6. In the Assignment tab, click on the Assign button and select the Assign to Groups option

  7. Click on the Assign button for the Beyond Identity group

  8. In the Sign On tab, click on the Edit button to edit settings

  9. Update the Org ID field with the organization ID provided by the Beyond Identity team

  10. Note down the SSO Client ID and Client Secret as they will be used in Step 6

  11. In the Provisioning tab, click on the Configure API Integration button

    1. NOTE: If the provisioning tab is not visible, you will need to use Okta Event hooks

  12. Check the Enable API Integration checkbox

  13. In the API token field paste the API token provided by the Beyond Identity team

  14. Click on the Test API Credentials button

    1. After seeing the message “Beyond Identity User Portal was verified Successfully”

    2. Save the configuration

  15. In the Provisioning tab, click on the Edit button

  16. Check the following Enable checkboxes:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

  17. Save the changes by clicking on the Save button

     

Step 6: Set up Beyond Identity User Portal Authentication

  1. Once logged into the Beyond Identity Admin UI, click on Account Settings

  2. Click on the User Portal tab and click on Edit

  3. Update SSO Issuer, SSO Client Id, and SSO Client Secret fields from step 5

Step 7: Creating an API token in Okta

  1. In the main menu bar for Okta, select Security → API

  2. Select the Tokens tab

  3. Click the Create Token button

  4. In the Create Token form, provide your name for the token (e.g. Beyond Identity)

  5. Click the Create Token button

  6. Use the Copy button and save the API token as it will be used in Step 8

Step 8: Set up Beyond Identity Console for User Authentication

  1. Once logged into Beyond Identity Admin UI, click on the Integrations tab and then click on OIDC Client

  2. Click on Add OIDC Client and fill in:

    1. Name

    2. Redirect URI

      1. https://[customer_info].okta.com/oauth2/v1/authorize/callback

    3. default value for

      1. Token Signing Algorithm (shown below)

      2. Auth Method (shown below)

  3. Select Save Changes

  4. Click on the newly created OIDC Client configuration and note down Client ID and Client Secret value. These values will be used in Step 9.

  5. On the Integrations tab click on API Extensions and then click on Install for Okta Registration Attribute

  6. Fill in the information for

    1. Okta Domain

    2. Okta API Token (from step 7)

    3. Okta Registration Attribute: byndidRegistered

  7. Click on Save Changes

 

Step 9: Configure Beyond Identity as the Identity Provider

  1. In the main Okta menu, select Security -> Identity Providers

  2. In the Identity Providers tab, click the Add Identity Provider button

  3. Select the Add OpenID Connect IdP option

     

    1. Note: This option will not be available in Okta until the ticket mentioned in the Introduction, Prerequisites section is resolved (Only applies to sandbox and production instances, not developer).

  4. Fill in the fields:

    1. Name: Beyond Identity

    2. Client id: from OIDC Integration tab in Beyond Identity Admin Portal

    3. Client Secret: from OIDC Integration tab in Beyond Identity Admin Portal

    4. Scopes: OpenID (Remove any additional scopes.)

    5. Issuer: https://auth.byndid.com/v2

    6. Authorization endpoint: https://auth.byndid.com/v2/authorize

    7. Token endpoint: https://auth.byndid.com/v2/token

    8. JWKS endpoint: https://auth.byndid.com/v2/.well-known/jwks.json

    9. Click on the Show Advanced Settings link

    10. IdP Username field: idpuser.externalId

    11. Match against: Okta Username or Email

    12. Leave Account Link Policy and Auto-Link restrictions with default options

    13. If no match is found: Redirect to Okta Sign-in Page

      See the images below for reference:



       

       

Step 10: Set up Event Hooks

The Event Hooks configuration is only required if you do not have SCIM capability enabled for your Okta tenant due to licensing restrictions.

  1. Click on Work Flow → Event Hooks

  2. Click the Create Event Hook button

  3. Fill in the fields:

    1. Name: Beyond Identity Provisioning Flow

    2. URL: https://api.byndid.com/okta_events

    3. Authentication field: Authorization

    4. Authentication Secret: Type in “Bearer “ and paste the tenant API token provided by the Beyond Identity team

    5. Subscribe to the events:

      1. User added to group

      2. User removed from group

      3. User suspended

      4. User unsuspended

        Note that you need to scroll down on the list towards the end of the list:

    6. Click Save & Continue button

    7. You will see a new form titled Verify Endpoint Ownership

    8. Click the Verify button

      See the images below for reference:

       

       

Step 11: Integrate Okta Event Hooks in the Admin Portal

  1. Once logged into Beyond Identity Admin UI, click on the Integrations tab and then click on API Extensions. Then click Install Okta Event Hooks.

  2. Input in your Okta domain, https://customer-name.okta.com, along with the Okta API token created in step 6, and the Okta group name.

  3. Save the changes.

Step 12: Set up Routing Rules

  1. Click on Security → Identity Providers

  2. Select the Routing Rules tab

  3. Click on Add Routing Rule button

  4. Fill in the following parameters:

    1. Rule Name: Beyond Identity Authentication

    2. The default value for the fields:

      1. User IPs

      2. Device Platform

      3. Applications

    3. User Matches User Attribute

      1. byndidRegistered Equals true
        Note: These values are case sensitive. Ex. “True” will not work but “true” will.

    4. Then Use the identity provider Beyond Identity

  5. Click the Create Rule button

  6. Click the Activate button

  7. This rule will is to be set as the first rule

    See images below for reference:

     

Step 13: Adding Users to the Okta User Group

To enroll a user in the Beyond Identity experience, assign the user to the Beyond Identity user group in Okta.

  1. Click on Directory → Groups

  2. Select the Beyond Identity user group

  3. Click on the Manage People button

  4. Click on + sign next to the user’s name in the column titled Not Members

  5. Click the Save button