Beyond Identity User Console SAML Single Sign-on (SSO)

This topic describes how to configure the Beyond Identity User Console web application for SSO using CyberArk Identity, how to set up the Beyond Identity User Console for provisioning, and how to add the Beyond Identity User Console as an external identity provider.

To configure the Beyond Identity Admin Console for SSO, see Beyond Identity Admin Console SAML Single Sign-on (SSO).

Beyond Identity is an MFA solution that provides users with a secure and frictionless MFA experience.

Beyond Identity User Console supported SSO features

Beyond Identity User Console supports the following features:

  • SP-initiated SSO

  • IdP-initiated SSO

  • SCIM-based user provisioning

  • Addition as an External Identity Provider

Before you begin

Before you begin, make sure you have the following prerequisites:

  • You have an SSO enabled Beyond Identity User Console subscription.

  • You have CyberArk Identity users for SSO

Configure CyberArk Identity SSO for Beyond Identity User Console

Step 1: Add the Beyond Identity User Manual app to the Identity Administration portal

  1. Go to Admin Portal > Apps > Web Apps and select Add Web Apps.

  2. In the app catalog window, search for the Beyond Identity User Console app and select Add. Confirm that you want to add the application.

  3. Close the app catalog window to go to the Beyond Identity User Console app configuration page.

  4. In the Application ID field, enter beyond_identity_user_console.

  5. Go to the Trust tab.

  6. Under Identity Provider Configuration, enter the OpenID Connect Client Secret. This is the Client Secret established between CyberArk Identity and Beyond Identity.

  7. Under Service Provider Configuration, enter the following details from the Beyond Identity Admin Console:

Option

Description

Resource application URL

 Enter the resource application URL.

Authorized Redirect URIs

Enter all desired redirect URIs. At least one redirect URI is required.

Step 2: Add permissions to the Beyond Identity User Console app

  1. Go to Admin Portal > Core Services > Roles and select Add Role.

  2. In the Name field, enter BIUsers.

  3. Go to the Members tab. Select Add.

  4. Select the users, groups, or roles to assign to the Beyond Identity User Console app. Select Add.

  5. Select Save.

  6. Return to the Beyond Identity User Console app configuration page. Go to the Permissions tab and select Add . Search for the BIUsers role and select Add.

Step 3: Enable Single Sign-on in your Beyond Identity account

  1. In the Beyond Identity Admin Console, go to Settings > Console Login.

  2. Under User Console SSO Integrations, select Add OIDC SSO.

  3. Enter the following details:

    Option Description
    Client ID Copy the OpenID Connect Client ID from the Trust tab of the Identity Administration portal and paste it into Client ID field.
    Client Secret

    Enter the Client Secret established between CyberArk Identity and Beyond Identity.
    Issuer Copy the OpenID Connect Issuer URL from the Trust tab of the Identity Administration portal and paste it into the Issuer field.

    Token Field

    Enter sub.

    Token Field Lookup

    Enter external id.

  4. Click Save Changes.

Beyond Identity User Console SCIM provisioning

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as your custom SAML app. For more information about SCIM, see www.simplecloud.info.

Step 1: Enable SCIM provisioning in CyberArk Identity

  1. Open the Beyond Identity app configuration page in CyberArk Identity Admin Portal.

  2. Go to the Provisioning tab.

  3. Select Enable provisioning for this application.

  4. Select either Preview Mode or Live Mode.

    Mode Description

    Preview Mode

    Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.

    Live Mode

    Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.

  5. Enter SCIM Service URL and Bearer Token values provided by Beyond Identity.

  6. Click Verify.

  7. Under Sync Options, specify how CyberArk Identity handles situations when it determines that the user already has an account in the target application.

    How CyberArk Identity determines duplicate user accounts:

    If the user accounts in CyberArk Identity and the target application match for the fields that make the user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).

    • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

    • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

      If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  8. Under Role Mappings, select Add to add the necessary role mappings.

  9. (Optional) If required, provide necessary mappings under Provisioning Script section.

  10. Click Save.

    Now the application is ready for SCIM provisioning.

Step 2: Configure outbound provisioning

  1. In the Identity Administration portal, go to SettingsUsers > Outbound Provisioning.

  2. Select Beyond Identity User Console from the dropdown list, and click Start Sync.

    All provisioned user accounts are synchronized for the Beyond Identity User Console application.

Add Beyond Identity as an External Identity Provider

Step 1: Add Beyond Identity as an External Identity Provider in CyberArk Identity.

  1. In the Identity Administration portal, go to SettingsUsers > External Identity Providers and click Add.

  2. Enter the following details:

    Option Description

    External Identity Provider Name

    Enter Beyond Identity.

    Federation Type

    Select SAML 2.0.

    Federation Domains

    Click Add. Enter the domain users may use as part of their login and click Add . Repeat for additional domains.

  3. Select Outbound Metadata.

  4. Under Option 2: Download Service Provider Metadata, click the Download Metadata button.

  5. In a new tab, open the Beyond Identity Admin Console, and go to Integrations > SAML.

  6. Click Add SAML Connection.

  7. Click Upload XML and select the file downloaded from the Identity Administration portal.

  8. Update the Name and Attribute Statements as required.

  9. Click Save Changes.

  10. Click the Download Metadata icon to the right of the added SAML connection.

  11. Switch back to your Identity Administration portal tab.

  12. Select Inbound Metadata.

  13. Under Option 2: Upload IDP configuration from a file, click Browse and select the file downloaded from the Beyond Identity Admin Console.

  14. Click Save.

Step 2: Download Beyond Identity

  1. Once Beyond Identity has been configured as an external identity provider, you will receive an email from Beyond Identity. Open the email.

  2. Under Step 1: Get Authenticator, click View Download Options, select your operating system, and click Download.

  3. Once downloaded, follow the installation process to install the Beyond Identity Authenticator on the device.

  4. Under Step 2: Register credential, click on Register New Profile. Your credential is registered on the device.

Test Beyond Identity User Console SSO configuration

To test SP-initiated SSO:

  1. Navigate to the Beyond Identity User Console login page - https:/user.byndid.com/auth-user/?org_id=<bi_tenant_name>.

  2. Log in with authenticated user credentials.

    After successful authentication through CyberArk Identity, you will receive an "Identity is verified" confirmation message.

To test IdP-initiated SSO:

  1. Launch the Beyond Identity User Console web application from CyberArk Identity User Portal. You will receive an "Identity is verified" confirmation message.

Beyond Identity expects users to log in using IdP-initiated SSO.

Additional resources

For more information about configuring the Beyond Identity User Console for SSO, contact Beyond Identity Support.