Beyond Identity Admin Console SAML Single Sign-on (SSO)

This topic describes how to configure the Beyond Identity Admin Console web application for SSO using CyberArk Identity .

To configure the Beyond Identity User Console for SSO, see Beyond Identity User Console SAML Single Sign-on (SSO).

Beyond Identity is an MFA solution that provides users with a secure and frictionless MFA experience.

Beyond Identity Admin Console supported SSO features

You can configure the following SSO methods:

Method Description
IdP-initiated SAML SSO Configure SSO to enable your users to access the Beyond Identity Admin Console through the CyberArk Identity User Portal.
SP-initiated SAML SSO Configure SSO to enable your users to access the Beyond Identity Admin Console directly from the web application.

Before you begin

Before you begin, make sure you have the following prerequisites:

  • You have an SSO enabled Beyond Identity Admin Console subscription.

  • You have CyberArk Identity users for SSO

Configure CyberArk Identity SSO for Beyond Identity Admin Console

Step 1: Add the Beyond Identity Admin Manual app to the Identity Administration portal

  1. Go to Admin Portal > Apps > Web Apps and select Add Web Apps.

  2. In the app catalog window, search for the Beyond Identity Admin Console app and select Add. Confirm that you want to add the application.

  3. Close the app catalog window to go to the Beyond Identity Admin Console app configuration page.

  4. In the Application ID field, enter beyond_identity_admin_console.

  5. Go to the Trust tab.

  6. Under Identity Provider Configuration, enter the OpenID Connect Client Secret. This is the Client Secret established between CyberArk Identity and Beyond Identity.

  7. Under Service Provider Configuration, enter the following details from the Beyond Identity Admin Console:

    Option

    Description

    Resource application URL

    		 Enter the resource application URL.

    Authorized Redirect URIs

    Enter all desired redirect URIs. At least one redirect URI is required.

Step 2: Add permissions to the Beyond Identity Admin Console app

  1. Go to Admin Portal > Core Services > Roles and select Add Role.

  2. In the Name field, enter BIAdmins.

  3. Go to the Members tab. Select Add.

  4. Select the users, groups, or roles to assign to the Beyond Identity Admin Console app. Select Add.

  5. Select Save.

  6. Return to the Beyond Identity Admin Console app configuration page. Go to the Permissions tab and select Add . Search for the BIAdmins role and select Add.

Step 3: Enable Single Sign-on in your Beyond Identity account

  1. In the Beyond Identity Admin Console, go to Settings > Console Login.

  2. Under Admin Console SSO Integrations, select Add OIDC SSO.

  3. Enter the following details:

    Option Description
    Client ID Copy the OpenID Connect Client ID from the Trust tab of the Identity Administration portal and paste it into Client ID field.
    Client Secret

    Enter the Client Secret established between CyberArk Identity and Beyond Identity.
    Issuer Copy the OpenID Connect Issuer URL from the Trust tab of the Identity Administration portal and paste it into the Issuer field.

    Token Field

    Enter sub.

    Token Field Lookup

    Enter external id.

  4. Click Save Changes.

Step 4: Test the Beyond Identity Admin Console SSO configuration

To test SP-initiated SSO:

  1. Navigate to the Beyond Identity Admin Console, enter your Tenant ID, and click Continue. The page redirects to CyberArk Identity for authentication.

  2. Enter your credentials. After successful authentication, the page redirects back to the Beyond Identity Admin Console and displays the web interface.

To test IdP-initiated SSO:

  1. Launch the Beyond Identity Admin Console application from the Identity User Portal. The page redirects to the Beyond Identity Admin Console and displays the web interface.

Additional resources

For more information about configuring the Beyond Identity Admin Console for SSO, contact Beyond Identity Support.