Passwordless Authentication

Enable users to log in via your Identity Provider without entering a username/password

This article describes features that are only available in the Banyan Enterprise edition.

This topic leverages TrustProvider V2 endpoints for Passwordless authentication. Please ensure you have migrated from V1 endpoints before proceeding.

Devices enrolled via Zero Touch installation only support Banyan’s Passwordless authentication feature via Banyan Desktop App v.2.1.0+.

How It Works

The diagram below provides a conceptual overview of how Banyan’s Passwordless Authentication Flow works.

Normal Authentication

In the Normal Authentication Flow, Banyan’s TrustProvider component federates to your organization’s Identity Provider (IdP). The user enters their SSO username and password (and Multi-factor Authentication (MFA), if applicable) at your IdP. Once the credentials (and MFA) are verified, the TrustProvider IDToken is issued.

Passwordless Authentication

In the Passwordless Authentication Flow, Banyan leverages the fact that the trusted Device Certificate includes the user’s email address in the UserPrincipalName SAN extension field. To enable Passwordless Authentication, register the Banyan-provided “App Client for Passwordless Authentication” as an External OpenID Connect IDP in your organization’s Identity Provider.

When a device presents its Device Certificate, Banyan extracts the user’s email address to identify the user who is attempting to authenticate, and issues the TrustToken. The user does not need to enter their SSO Username and Password. Instead, they only need to perform the MFA step, if configured.


Setup

If you use Okta as your Identity Provider, please review our Passwordless Guide for Okta.

At a high level, setting up Passwordless with an Identity Provider is a simple, four-step process:

  1. In the Banyan Command Center, Gather Your OIDC Details
  2. In your Identity Provider, create a Federated OIDC Identity Provider
  3. In your Identity Provider, route Traffic to the Federated IdP
  4. In your IdP, also create an Application Integration called “Banyan DeviceRegistrationProvider” and assign to “Everyone”

Prerequisites

Before proceeding through the Setup sections below, please ensure you have:

  • Administrative access to your Identity Provider
  • The ability to add an external Identity Provider called “Banyan Passwordless”
  • The ability to add a new application integration to your Identity Provider called “Banyan DeviceRegistrationProvider”
  • Integrated Banyan with your Identity Provider to create a directory of users that can access your Services

Step 1. In the Banyan Command Center, Gather Your OIDC Details

1.1 Navigate to Settings > TrustProvider Settings > OpenID Connect Settings.

1.2 In the App Client for Passwordless Authentication section, enter your IdP Redirect URL (Okta example shown below) and then click Create.

1.3 Note the OpenID Connect Settings and App Client for Passwordless Authentication configuration fields. You will use these in step 2.

Step 2. In your Identity Provider, create a Federated OIDC Identity Provider

2.1 Create a Federated OIDC Identity Provider in your IdP named Banyan Passwordless and enter the configuration fields you obtained in step 1 above.

Step 3. Route Traffic to the Federated IdP

3.1 In your IdP, route authentication requests for the Banyan TrustProvider application (via routing rule or other similar mechanism) to the Federated IdP created in Step 2 above. This ensures authentication requests to the Banyan TrustProvider get forwarded to the Banyan Passwordless IdP.

Step 4. In your IdP, also create an Application Integration called “Banyan DeviceRegistrationProvider” and assign to “Everyone”

Since the “Banyan TrustProvider” App Integration is being used for Passwordless Authentication, we need a completely different App Integration for device registration via the Banyan Desktop or Mobile Apps.

4.1 Create a new App Integration called “Banyan DeviceRegistrationProvider” following the same steps to integrate Banyan with your Identity Provider.

That’s it! You’ve successfully configured Passwordless Authentication for your IdP.



Last modified: Jun 17, 2021