Beyond Identity

Beyond Identity delivers fundamentally secure, frictionless passwordless authentication to stop credential attacks and account takeovers. It eliminates passwords and the vulnerability and risk they bring, replacing passwords with fundamentally secure X.509 certificates and TLS without any certificate management.

This empowers you to provide Strong Customer Authentication (SCA) securely without a second device or one time code.

You can also capture user and device security attributes for authentication policy and enable step-up authentication for higher risk actions.

This guide provides information on how to set up and use Beyond Identity as an Identity Provider in order to allow your workforce to authenticate without the use of a password.

Prerequisites

Before you begin:

• Make sure you have an Auth0 account and tenant. Sign up for free.
• Make sure you are using the New Universal Login experience (default)

1. Create the Beyond Identity Admin Application in Auth0

1. Go to Applications > Applications > Create Application in the Auth0 Dashboard
2. Name the Application "Beyond Identity Admin Portal" and select Regular Web Application
3. Select Create
4. Select the Settings tab and make note of the Domain, Client ID, and Client Secret. The Beyond Identity team will use these values to configure access into the Beyond Identity Admin Portal.
5. (Optional) Add the Beyond Identity logo to the Application Logo field: https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png
6. Scroll down to the Application URIs section and enter the following values:
   • Application Login URI: https://admin.byndid.com/login
   • Allowed Callback URLs: https://admin.byndid.com/auth/callback
7. Scroll down and select Save Changes

2. Set Up Admin Portal Access

Provide Client ID and Client Secret assigned to Admin Application in Auth0 above to a Beyond Identity SE. The Beyond Identity team will collect and configure those values at the backend.

3. Create the Beyond Identity User Portal Application in Auth0

Note: the steps below require a Beyond Identity tenant name, which will be provided by your Beyond Identity SE.

1. Go to Applications > Applications > Create Application in the Auth0 Dashboard
2. Name the Application "Beyond Identity User Portal" and select Regular Web Application
3. Select Create
4. Select the Settings tab and make note of the Domain, Client ID, and Client Secret.
5. (Optional) Add the Beyond Identity logo to the Application Logo field: https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png
6. Scroll down to the Application URIs section and enter the following values:
   • Application Login URI: https://user.byndid.com/auth-user/?org_id=BEYOND_IDENTITY_TENANT_NAME
   • Allowed Callback URLs: https://user.byndid.com/auth-user/callback
7. Scroll down and select Save Changes

Provide the Application data from above to the Beyond Identity team before proceeding.

4. Set Up Beyond Identity User Portal Authentication

1. Once logged into Beyond Identity Admin UI, click on Account Settings in the upper right-hand corner
2. Click on User Portal tab, then click on Edit, and populate the following fields:
   • Set the SSO Issuer to the Domain from step 3.4 above
   • Set the SSO Client ID to the Client ID from step 3.4 above
   • Set the SSO Client Secret to the Client ID from step 3.4 above
3. Click Save Changes

5. Set Up Beyond Identity Service for User Authentication

1. While logged into Beyond Identity Admin UI, click on Integrations tab and then click on OIDC Clients
2. Click on Add OIDC Client and populate the following fields:
   1. Name: Auth0 SSO (or something similar)
   2. Redirect URL: https://YOUR_AUTH0_DOMAIN/login/callback
      1. Replace YOUR_AUTH0_DOMAIN with your Auth0 domain or configured custom domain. For example: https://byndid-auth0-demo.us.auth0.com/login/callback
   3. Leave Token Signing Algorithm and Auth Method as default
3. Click Save Changes
4. Click on the newly created OIDC Client configuration and write down Client ID and Client Secret Value. (You will be using these values in the next step.)

6. Enable New Login Experience Required for OIDC Connections

1. Go to Branding > Universal Login in the Auth0 dashboard
2. In the Settings tab, select the New experience
3. Scroll down and select Save Changes

7. Configure Beyond Identity as the Identity Provider in Auth0

1. Go to Authentication > Enterprise in the Auth0 dashboard
2. Select Open ID Connect
3. Select Create Connection and enter the following values:
   1. Connection name: Beyond-Identity
   2. Issuer URL: https://auth.byndid.com/v2
   3. Client ID: from Step 5.4
   4. Client Secret: from Step 5.4
4. Select Create
5. Select the Settings tab, scroll down to Scopes, and set Scopes to openid
6. Make a note of the Callback URL as you will need that below
7. Select Save Changes
8. Scroll up and select the Login Experience tab
9. Scroll down to Connection button and select Display connection as a button. Then enter the following:
   1. Button display name: Beyond Identity
   2. Button Logo URL: https://byndid-public-assets.s3-us-west-2.amazonaws.com/logos/beyondidentity.png
10. Click Save
11. Scroll up and select the Applications tab
12. Enable the Connection for both Applications created above

9. Check Auth0 callback URL is correct in Beyond Identity OIDC integration

1. In the Beyond Identity Admin UI, click on the Integrations tab and then click on OIDC Clients.
2. Find the OIDC client created in Step 4 and click Edit
3. Ensure that the Redirect URI value matches with the value in Auth0 connection (Step 7.6). If the values do not match, update the value with the correct Callback URL
4. Click Save Changes

Setting up Test Users

Before users can start authenticating with Beyond Identity, they need to be provisioned in the Beyond Identity Directory. As Auth0 does not support SCIM, users will need to be manually provisioned using the Beyond Identity admin portal or using the Beyond Identity REST API. Please see the admin portal video tutorial which shows navigating to the directory area of the admin portal.

1. In the Admin Portal under the Directory tab, select Add User
2. Enter the following values: a. External ID: oidc|Beyond-Identity|<email_address> b. Email: c. Username: d. Display Name:

PLEASE NOTE: The External ID format above must be adhered to as this will be the user ID of the user in Auth0.

User Enrollment

1. Enrolled (provisioned) users will receive an email from Beyond Identity welcoming them to the new Identity Provider
2. Each enrolled user will be asked to complete two steps:
   1. Download the Beyond Identity Authenticator onto device
      1. Click View Download Options, and the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. Download and install the Beyond Identity Authenticator on the user’s device.
   2. Register Credential in the Beyond Identity IdP
      1. By clicking on Register New Credential, the user’s credential will be enrolled in the Beyond Identity service on the back end. On the front end, users will be taken to the Beyond Identity Authenticator. Once registration is completed, the user will see the credential in the Authenticator

User Authentication (Signing in)

1. Enrolled users can visit any application supported by the Auth0 SSO to passwordlessly authenticate
2. The SSO-supported application will ask the user to enter a username
3. Once the username is submitted, a prompt to use or open the Beyond Identity app for authentication will display for the user
4. The user should click affirmatively on the prompt to be signed into the application, without the use of a password. The Beyond Identity app along with a success notification will display
   1. Note: For iOS devices, some application sign-in processes will ask the user to exit out of the Beyond Identity Authenticator to return to their app after successful authentication.

User Deprovisioning

To deprovision users from the Beyond Identity experience, manually delete users from Beyond Identity Admin Portal and Auth0 management portal