Skip to main content
Version: Next Gen

Okta

Last updated on

Authentication for Okta using Beyond Identity

Integrate Beyond Identity with your Okta organization for users to have phishing-resistant and passwordless authentication.

This guide covers the process of configuring Okta and Beyond Identity. Each section contains instructions for that specific platform. View the overall summary in the list below.

  • Set up new configurations on each console for Beyond Identity and Okta
  • Set up Okta SCIM user provisioning
  • Add new users to Beyond Identity for passkey verification
  • Configure rules to use Beyond Identity in Okta

Prerequisites

To get started with the integration, view the following prerequisites.

Okta requirements

This information contains the necessary items for integrating with Beyond Identity.

  • Okta account access with Organizational Admin or Super Admin privileges
  • Available features of OpenID Connect IdP and routing rules*
    • *If these features are missing from your organization, contact Okta support for activation.

Beyond Identity requirements

The list below covers the basic Beyond Identity requirements for the integration.

  • Secure Access Tenant with Super Admin Role
    • Use an existing account, or sign up here to create a new Beyond Identity account
  • Have at least two devices and two Super Admin roles configured*
    • *Recommended, optional

Steps

Follow the steps in the sections below to complete your integration for Beyond Identity and Okta.

Legend

The sections below use these two color codings to identify the steps for separate platforms.

🔵 Beyond Identity - Beyond Identity platform tasks are highlighted in blue.

🟠 Okta - Okta platform tasks are highlighted in orange.

🔵 Set up Beyond Identity console

The following section covers the 🔵 Beyond Identity console and related steps.

  1. Navigate to your Beyond Identity console.
  2. On the left-hand navigation under Access Control, click Applications.
  3. Select the Browse Applications tab.
  4. Click Okta to proceed.
  5. Under GeneralDisplay Name, input New SSO Application into the text field.
  6. For the Okta Token value, paste the API token value from your Okta organization.
  7. Scroll down to the Important Values section.

🟠 Configure Okta with added identity provider

The steps in this section are for setting up Beyond Identity in 🟠 Okta as a new identity provider for users to log in.

  1. Navigate to your Okta organization account.
  2. Under Security on the left dropdown navigation, click Identity Providers.
  3. Click Add identity provider.
  4. Click Next.
  5. Under General Settings, type Beyond Identity into the Name field.
  6. Copy the following values from Step 7 of the 🔵 Set up Beyond Identity console section. Paste the following values into the corresponding fields.
  • 🔵 Issuer → 🟠 Issuer, under Endpoints
  • 🔵 Authorization endpoint → 🟠 Authorization endpoint, under Endpoints
  • 🔵 Token Endpoint → 🟠 Token endpoint, under Endpoints
  • 🔵 User Info Endpoint → 🟠 Userinfo endpoint, under Endpoints
  • 🔵 Client ID → 🟠 Client ID, under Client details
  • 🔵 Client Secret → 🟠 Client Secret, under Client details
  1. Click Finish.

🟠 Set up Okta directory integration

This section is a walkthrough for setting up the Okta directory as the upstream source to share user identity information to Beyond Identity. View the use cases below.

  • SCIM user provisioning - Okta user identity information programmatically syncs to Beyond Identity
  • Registration syncing - Okta redirects users to Beyond Identity
    • NOTE: This feature sets up the passwordless experience for users Okta users. It omits the username and password input screen because it redirects to Beyond Identity.

🟠 Create Beyond Identity group

You can specify users to authenticate with Beyond Identity and without passwords. This section covers creating a group in Okta for including this configuration for users. View the clip below for instructions.

🟠 Generate API token in Okta

Beyond Identity requires an Okta API token to communicate updates to Okta. This includes notifying Okta when users bind passkeys to their device. This action is required for users to be routed to Beyond Identity from Okta. The clip below covers the steps to generate the token.

🔵 Configure the directory in Beyond Identity

The sections below go over adding a new user to your Beyond Identity identities directory.

🔵 Manual entry

  1. Under Directory, click Identities.
  2. Click Add identity.
  3. Click Manual entry.
  4. Add the details for the new identity.
  5. Click Add identity. Return to the identities page.
  6. Click the recently added identity to go to that profile page.
  7. Select the Passkeys tab.
  8. Click Add a passkey.
  9. Click Magic Link. NOTE: For IDP Authorization, contact your Beyond Identity representative.
  10. For delivery method, select your preferred option.
  • Send email - Prompts verification through link sent to the identity's email address
  • Generate link - Creates a specific link to share for verification
  1. At this point, the end users completes verification through Beyond Identity Platform Authenticator.

🔵 SCIM implementation

The Okta SCIM implementation requires a bearer token. Use the Okta platform to complete the SCIM to map users and attributes to Beyond Identity for the integration. Complete the sections in the Generic SCIM guide for configuring users from the Okta upstream directory source.

🟠 Complete Okta SCIM configuration

Configure the SCIM application in Okta with the SCIM URL and bearer token generated on the Beyond Identity application page. After completing the provisioning configuration, enable the actions below. The clip below contains the instructions for this process.

  • Create Users
  • Deactivate Users

Synchronize users with SCIM

Push the created Beyond Identity group from Okta to Beyond Identity. After this is complete, all users in this group appear on the Identities page under Directory.

🟠 Use Okta Routing rules

This section covers steps to configure 🟠 Okta to use Beyond Identity as the identity provider for specific users.

  1. Under Security, click Identity Providers.
  2. Click Routing rules tab.
  3. Click Add Routing Rule.
  4. Under Rule Name, input the description in the text field.
  5. Configure User IP, device platform, accessing, and matching sections as needed.
  6. Under the Use this identity provider section, remove Okta.
  7. In the field from the previous step, type or select Beyond Identity.
  8. Click Create rule.
tip

Congratulations! Your end user can now login using Beyond Identity and authenticate with their device!