Integrate with ADFS

Integrate Beyond Identity with ADFS. Here you will find:

  • The access needed in the Active Directory environment

  • Guide on how to perform the integration

Table of Contents


Prerequisites


ADFS environment

Active Directory Federated Services is needed to enable identity federation.


Domain Administrator access to ADFS server

The integration will require a domain administrator to perform the following tasks on the ADFS server:

  1. Configure Beyond Identity as a Claims Provider

  2. Configure Admin Portal to ADFS Integration

  3. Configure an ADFS Anchor Claim for the Beyond Identity Claims Provider


If you would like your authenticator to be branded with your company logo, Beyond Identity will need a logo with the following requirements:

  1. 300 x 150 pixels or less

  2. File size of 10kb or less

  3. File types accepted: SVG, PNG, JPG, GIF


Metadata URL

We will need to configure Beyond Identity with Customer Relying Party Metadata and this will require access to the ADFS client metadata. This metadata is available on the ADFS via a path like https://customer-domain.com/FederationMetadata/2007-06/FederationMetadata.xml.


Configuration

Step 1: Adding Claims Provider Trust

  1. Start Add Claims Provider Trust wizard

  2. Input Federation Metadata URL

    https://auth.byndid.com/wsfed/v0/FederationMetadata/2007-06/FederationMetadata.xml

  3. Click Next

  4. Specify the display name for Claims Provider Beyond Identity

  5. Click Next

  6. TBD


Step 2: Adding Claims Rule

  1. Open Edit Claims Rule for Beyond Identity

  2. Click Add Rule… button

  3. Select Pass Through or Filter an Incoming Call option

  4. Click Next

  5. Claim rule name: Pass through UPN

  6. Select UPN as Incoming claim type

  7. Select Pass through all claim values option

  8. Click Finish


Step 3: Beyond Identity Admin Portal Configuration

  1. Select Application Groups folder

  2. Start Add Application Group… wizard

  3. Name: Beyond Identity Admin Portal

  4. Select Server application accessing a web API template from Client-Server applications

  5. Click Next

  6. Name: Beyond Identity Admin Portal - Server Application

  7. Redirect URI: https://admin.byndid.com/auth/callback

  8. Copy the Client Identifier to Notepad

  9. Click Next

  10. Check Generate a shared secret box

  11. Click Copy to clipboard button

  12. Paste to Notepad one a new line

  13. Click Next

  14. Name: Beyond Identity Admin Portal - Web API

  15. Identifier: https://admin.byndid.com

  16. Click Next

  17. Select appropriate permissions

  18. Click Next

  19. Check openid checkbox

  20. Click Next

  21. Click Next

  22. Click Close


Step 4: Beyond Identity User Portal Configuration

  1. Select Application Groups folder

  2. Start Add Application Group… wizard

  3. Name: Beyond Identity User Portal

  4. Select Server application accessing a web API template from Client-Server applications

  5. Click Next

  6. Name: Beyond Identity User Portal - Server Application

  7. Redirect URI: https://user.byndid.com/auth-user/callback

  8. Copy the Client Identifier to Notepad, note for which portal this is

  9. Click Next

  10. Check Generate a shared secret box

  11. Click Copy to clipboard button

  12. Paste to Notepad one a new line, note for which portal this is

  13. Click Next

  14. Name: Beyond Identity User Portal - Web API

  15. Identifier: https://user.byndid.com

  16. Click Next

  17. Select appropriate permissions

  18. Click Next

  19. Check openid checkbox

  20. Click Next

  21. Click Next

  22. Click Close


Step 5: Configure ADFS Anchor Claim for Beyond Identity Claims Provider

We support only one claim type, and you can only use one claim type.

  1. Open PowerShell as an administrator

  2. Run commands

    1 2 Set-AdfsClaimsProviderTrust -TargetIdentifier https://auth.byndid.com/wsfed/v0 -AnchorClaimType http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn Set-AdfsProperties -EnableIdPInitiatedSignonPage:$true

 


Step 6: Finalize Beyond Identity Portal Configurations

Open the properties of your ADFS service, and copy the Federation Service name to the Notepad. Pass the values from Notepad to the Beyond Identity team. They need to set up the initial values in the configuration. You can update settings from the Beyond Identity Admin Portal later on.