Integrate with PingFederate

Integrate Beyond Identity with PingFederate. This guide provides information on how to:

  • Set up passwordless authentication to your PingFederate single sign on

  • Set up Beyond Identity as a Delegated Identity Provider in PingFederate

Table of Contents:


Prerequisites:


A PingFederate account with administrator privileges

The configurations performed in PingFederate will require an administrator account to access and edit the following parameters:

  1. Add/edit IDP Connection in Service Provider > IDP Connections

  2. Add/edit Authentication Policy Contracts in Service Provider > Policy Contracts

  3. Add/edit Authentication Policies in Service Provider > Policies

  4. Ensure you have SCIM Connector enabled Applications > Integrations > SP Connection > Create > Use a template > select the drop down to ensure you have SCIM Connector as an option


If you would like your authenticator to be branded with your company logo, Beyond Identity will need a logo with the following requirements:

  1. 300 x 150 pixels or less

  2. File size of 10kb or less

  3. File types accepted: SVG, PNG, JPG, GIF


Company Name

We will need to configure a tenant name within Beyond Identity.


Part 1: Beyond Identity Configuration

Information to provide to the Beyond Identity team

Please provide the following information to the Beyond Identity team.

  1. Your corporation’s Name

  2. A logo for your corporation (Optional)

    1. Logo requirements:

      1. 300 x 150 pixels or less

      2. File size of 10 kB or less

      3. File types accepted: SVG, PNG, JPG, or GIF 

Information to receive back from the Beyond Identity team

After receiving the information above, the Beyond Identity team will create your account and send back the following information to be used in Part 2: PingFederate Configuration.

  1. A set of Beyond Identity IdP endpoint URLs

  2. Client ID

  3. Client Secret


Part 2: PingFederate Configuration

To configure Beyond Identity as the IdP in PingFederate, follow the steps below. Once these steps are taken, you will be ready to enable Beyond Identity for test users in Part 3. 

Step 1: Create Beyond Identity IdP Connection:

The image below is an example of an administrator view in PingFederate and illustrates the actions listed below to navigate to the IDP Connection creation: 

  1. Sign into the PingFederate portal as an administrator.

  2. In the main PingFederate menu, select IdP Adapters

     

  3. On the IdP Adapters page, select IdP Connections then Create Connection

     

  4. On the IDP Connection page, Connection type tab, select Browser SSO Profiles

  5. Protocol: OpenID Connect.

     

  6. On the Connection Options tab select “Browser SSO” and click next.

     

  7. On the General Info tab add the following information for each field described and leave empty or default value for the remaining fields.

  8. Issuer: https://auth.byndid.com/v2

  9. Click on Load Metadata button next to the issuer field.

  10. You will see the “Metadata Successfully loaded” message next to the “Load Metadata” button.

  11. Connection Name: Beyond Identity OIDC Integration

  12. Client ID: tenant_id

  13. Client Secret: tenant_api_token

  14. Company: Beyond Identity Inc.

  15. Error Message: errorDetail.spSsoFailure (Default value)

  16. Transaction Logging: Standard (Default value)

  17. Click on Save

     

  18. On the Browser SSO tab click on Configure Browser SSO button

  19. On the IdP Connection → Browser SSO page, User-Session Creation tab, click on Configure Protocol Settings button (Review and possibly remove this step)

  20. On the IdP Connection → Browser SSO → User-Session Creation page, select the Identity Mapping tab, and click on No Mapping and click Next

     

  21. On the IdP Connection → Browser SSO → User-Session Creation page, the Attribute Contract tab leave the default value and click Next

  22. On the IdP Connection → Browser SSO → User-Session Creation page, the Summary tab review changes and click on Done

  23. On the IdP Connection → Browser SSO page, Protocol Settings tab click on the Configure Protocol Settings button

  24. On the IdP Connection → Browser SSO → Protocol Settings page, the OpenID Provider Info tab, configure the following fields and leave the remaining field empty or with the default value

    1. Scopes: openid

    2. Authorization Endpoint: https://auth.byndid.com/v2/authorize

    3. OpenID Connect login type: Code

    4. Authentication Scheme: Basic

    5. Token Endpoint: https://auth.byndid.com/v2/token

    6. JWKS URL: https://auth.byndid.com/v2/.well-known/jwks.json

    7. Leave remaining fields unchanged

  25. Click Save

     

  26. Click next on IdP Connection → Browser SSO → Protocol Settings → Overrides tab

     

  27. Click Save on IdP Connection → Browser SSO → Protocol Settings → Summary tab

     

  28. On IdP Connection -> Summary page note down “Redirect URI” information and provide this to Beyond Identity field team (value shown here is just an example)

     


Step 2: Create Authentication Policy Contract

  1. In the main PingFederate menu, select Authentication → Policies

     

  2. Under Policy Contracts, select Create New Contract button

     

  3. On the Authentication Policy Contract page, Contract Info tab, add Contract Name as bidcontract

  4. Click Next button

     

  5. On the Authentication Policy Contract page, Contract Attribute tab, leave the default value of Attribute Contract as Subject

  6. Click Next button

  7. Verify information on the Authentication Policy contract page, Summary tab, and click on Save

     


Step 3: Create Authentication Policies

  1. In the main PingFederate menu, select Authentication → Policies

  2. Click on the Add Policy button

     

  3. On the Authentication → Policies → Policy page, make the following changes to create a new policy:

    1. Name: Beyond Identity

  4. On the Authentication → Policies → Policy page, click on the Policy pulldown menu and select IdP Connections and then select Beyond Identity IdP Connection

  5. For Fail select Done

  6. For Success select Policy Contract from the pulldown menu

  7. Select bidcontract

     

  8. Click on Contract Mapping

  9. On the Authentication → Policy → Authentication Policy Contract Mapping page, Attribute Sources and Users Lookup tab, click on Add Attribute Source button

     

  10. On the Authentication Policies → Policy → Authentication Policy Contract Mapping → Attribute Sources & User Lookup page, the Data Store tab update the following:

    1. Attribute Source ID: LDAP

    2. Attribute Source Description: LDAP server used to store user attributes

    3. Active Data Store: e.g. aws-production-ad (From pull-down select your directory instance)

    4. Data Store type is auto-populated as LDAP

  11. Click the Next button to go to the LDAP Directory Search tab

     

  12. On the Authentication Policies → Policy → Authentication Policy Contract Mapping → Attribute Sources & User Lookup page, the LDAP Directory Search tab, update the following:

    1. Base DN: CN=Users,DC=subdomain,DC=topleveldomain (e.g. DC=ByndID, DC=com for byndid.com domain)

    2. Search Scope: Subtree

  13. Under Attribute to return from search and Root Object Class from the pull-down menu, select byndid class and in the next pulldown menu select byndidFingerprint and click on Add Attribute

  14. Under Root Object Class from the pull-down menu, select byndid class, and in the next pull-down menu select byndidStatus and click on Add Attribute

  15. The above two attributes and Subject DN are the output of the LDAP query

  16. On LDAP Directory Search click Next button

     

  17. On the Authentication Policies → Policy → Authentication Policy Contract Mapping → Attribute Sources & User Lookup page, the LDAP Filter tab, update the following:

    1. Add the following to the filter to compare the subject field with the stored fingerprint for the users with a byndidStatus of registered (&(byndidFingerprint=${idp.https://auth.byndid.com.sub})(byndidStatus=registered))

  18. Click on Next button

     

  19. On the Authentication Policies → Policy → Authentication Policy Contract Mapping → Attribute Sources & User Lookup page, Summary tab review the following

  20. Review all the changes on the Summary page

  21. Click on the Done button

     

  22. On the Authentication Policies → Policy → Authentication Policy Contract Mapping → Attribute Source & Users Lookup click on Next button

  23. On the Authentication Policies → Policy → Authentication Policy Contract Mapping page, the Contract Fulfillment tab, update the following:

    1. Contract Fulfillment by default shows subject

    2. For the Source column select LDAP

    3. For Value column mail

  24. Click on Next button

     

  25. On the Authentication Policies → Policy → Authentication Policy Contract Mapping page, the Issuance Criteria tab, update the following:

    1. This tab is used to configure disqualifying criteria

    2. Do not add any rules here

  26. Click on Next button

  27. On the Authentication Policies → Policy → Authentication Policy Contract Mapping page, the Summary tab, review all the changes on the Summary page

  28. Click on the Done button

     

  29. On the Authentication Policies → Policy page, click on the Done button

  30. On Authentication Policies, click on Save button


Part 4: Setup outbound provisioning

  1. Navigate to Applications → SP Connections

  2. Click on Create Connection

     

  3. Select Use a template for this connection

  4. Select the SCIM Connector template

  5. Click Next

     

  6. Use the Outbound Provisioning Connection Type to make SCIM requests to the Beyond Identity API

  7. Click Next

     

  8. Change the connection name to Beyond Identity Provisioning

  9. Click Next

     

  10. In the next screen, configure the necessary values to connect to the SCIM server and select which users will be provisioned → Click Configure Provisioning

     

  11. Configure the following configuration values into each field:

    1. SCIM URL: https://api.byndid.com/scim

    2. SCIM Version: 2.0

    3. Authentication Method: OAuth 2 Bearer Token

    4. Access Token: Your API Token - Supplied by Beyond Identity when your account is created

    5. All other configuration fields can be customized based on your environment or remain set to their default values as shown in the image below:

       

  12. In the following screen, create a Channel configuration

    1. Channels poll a DataStore connection and run a filter against the existing accounts

    2. The resulting users will be provisioned into your organization’s Beyond Identity environment

  13. Click Create

     

  14. Under Channel Name type Beyond Identity Users

  15. Click Next

     

  16. Select the DataStore connection that will be used to select user accounts to be provisioned in your organization’s Beyond Identity account

  17. Click Next

     

  18. Configure the Source Settings as necessary for your DataStore connection

    1. The settings shown below are good known defaults for an Active Directory connection

    2. Changed User/Groups Algorithm: Timestamp (there is a known PingFed that could cause issues with SCIM)

  19. Click Next when done

     

  20. The following screen configures which user accounts and groups the SCIM Connector will read from your directory to provision on your organization’s Beyond Identity account. The example filter provided will provision users added to a group called Beyond Identity into the Beyond Identity cloud directory.

    1. Base DN: Base DN where user accounts are located in the datastore. 

      (e.g. DC=BeyondIdentity,DC=us)

    2. Users (blank)

    3. Group DN: (optional) DN for user accounts (e.g CN=Users)

    4. Filter: (required) LDAP filter for user accounts

      (e.g (&(objectCategory=user)(memberOf=CN=Beyond Identity,CN=Users,DC=BeyondIdentity,DC=us)))

    5. Nested Search: (optional) Will the query run a nested search

    6. Groups (blank)

    7. Group DN: (optional) DN for directory groups (e.g CN=Users)

    8. Filter: (required) LDAP filter for directory groups

    9. Nested Search: (optional) Will the query run a nested search

  21. Click Next when done

  22. The following screen configures how Directory attributes for each account will be mapped to SCIM attributes as they will be provisioned in your organization’s BeyondIdentity account

    1. Make any necessary changes here

  23. Click Next when done

  24. On the Summary page, review the settings below, change the Channel Status switch to Active

  25. Click Done when finished

     

  26. Click Done

     

  27. Click Next

     

  28. The following screen shows a summary of the settings we configured for the SCIM. Review the configuration, then change the switch at the top of the page to ON to activate the SCIM Connector. Click the Save button at the bottom of the page when done.

     

  29. A new connection will be displayed under the Application > SP Connections screen as shown below:

    The SCIM Connector’s channel will start provisioning user accounts at a frequency determined by the setting under System → Server → Protocol Settings → Outbound Provisioning → Synchronization Frequency (secs)

  30. Log into your organization’s Beyond Identity’s Administration Page, the provisioned users are shown under the Users tab

     


Part 5: Adding Users

  1. To enable a user to be enrolled in the Beyond Identity experience, add the user to the Beyond Identity group in Active Directory