Enable users to log in via your Identity Provider without entering a username/password
This topic leverages TrustProvider V2 endpoints for Passwordless authentication. Please ensure you have migrated from V1 endpoints before proceeding.
The diagram below provides a conceptual overview of how Banyan’s Passwordless Authentication Flow works.
In the Normal Authentication Flow, Banyan’s TrustProvider component federates to your organization’s Identity Provider (IdP). The user enters their SSO username and password (and Multi-factor Authentication (MFA), if applicable) at your IdP. Once the credentials (and MFA) are verified, the TrustProvider IDToken is issued.
In the Passwordless Authentication Flow, Banyan leverages the fact that the trusted Device Certificate includes the user’s email address in the
UserPrincipalName SAN extension field. To enable Passwordless Authentication, register the Banyan-provided “App Client for Passwordless Authentication” as an External OpenID Connect IDP in your organization’s Identity Provider.
When a device presents its Device Certificate, Banyan extracts the user’s email address to identify the user who is attempting to authenticate, and issues the TrustToken. The user does not need to enter their SSO Username and Password. Instead, they only need to perform the MFA step, if configured.
If you use Okta as your Identity Provider, please review our Passwordless Guide for Okta.
At a high level, setting up Passwordless with an Identity Provider is a simple, four-step process:
Before proceeding through the Setup sections below, please ensure you have:
1.1 Navigate to Settings > TrustProvider Settings > OpenID Connect Settings.
1.2 In the App Client for Passwordless Authentication section, enter your IdP Redirect URL (Okta example shown below) and then click Create.
1.3 Note the OpenID Connect Settings and App Client for Passwordless Authentication configuration fields. You will use these in step 2.
2.1 Create a Federated OIDC Identity Provider in your IdP named Banyan Passwordless and enter the configuration fields you obtained in step 1 above.
3.1 In your IdP, route authentication requests for the Banyan TrustProvider application (via routing rule or other similar mechanism) to the Federated IdP created in Step 2 above. This ensures authentication requests to the Banyan TrustProvider get forwarded to the Banyan Passwordless IdP.
Since the “Banyan TrustProvider” App Integration is being used for Passwordless Authentication, we need a completely different App Integration for device registration via the Banyan Desktop or Mobile Apps.
4.1 Create a new App Integration called “Banyan DeviceRegistrationProvider” following the same steps to integrate Banyan with your Identity Provider.
That’s it! You’ve successfully configured Passwordless Authentication for your IdP.