Set Up Passwordless with Okta

Enable users to log in via Okta without entering a username/password

This article describes features that are only available in the Banyan Enterprise edition.

This topic leverages TrustProvider V2 endpoints for Passwordless authentication. Please ensure you have migrated from V1 endpoints before proceeding.

Devices enrolled via Zero Touch installation only support Banyan’s Passwordless authentication feature via Banyan Desktop App v.2.1.0+.

How It Works

Review the Passwordless article for a conceptual overview of how Banyan’s Passwordless Authentication Flow works.


Setup

Prerequisites

Before proceeding through the steps below, please ensure you have:

  • Administrative access to Okta
  • The ability to add an external Identity Provider called “Banyan Passwordless”
  • The ability to add a new application integration to Okta called “Banyan DeviceRegistrationProvider”
  • Integrated Banyan with Okta to create a directory of users that can access your Services

Step 1. In Okta, ensure you have the “Banyan TrustProvider” App Integration set up

1.1 Navigate to Applications, and ensure you have the Banyan TrustProvider App Integration.

Step 2. In the Banyan Command Center, Gather Your OIDC Details

2.1 Navigate to Settings > TrustProvider Settings > OpenID Connect Settings.

2.2 In the App Client for Passwordless Authentication section, enter your Okta Redirect URL (generally formatted as https://(your Okta instance name).okta.com/oauth2/v1/authorize/callback) and then click Create.

2.3 Note the OpenID Connect Settings and App Client for Passwordless Authentication configuration fields. You will use these in step 2.

Step 3. In Okta, create an External OpenID Connect IdP

3.1 Switch to the Okta Classic UI for this guide.

3.2 Navigate to Security > Identity Providers > Add Identity Provider. Select Add OpenID Connect IdP.

3.3 Configure the General Settings and Endpoints:

  • Name the Identity Provider Banyan Passwordless.
  • Enter the Client ID and Client Secret (from App Client for Passwordless Authentication settings in Command Center)
  • Enter the Issuer (URL), Authorization endpoint, Token endpoint, and JWKS endpoint (from OpenID Connect Settings in Command Center)

3.4 In the Advanced Settings, set If no match is found to Redirect to Okta sign-in page so that if no user match is found, we redirect to the Okta sign-in page.

3.5 Click Add Identity Provider.

Step 4. In Okta, add a Routing Rule called “Banyan Passwordless Routing”

4.1 Select the Routing Rules tab, and then click Add Routing Rule.

4.2 Name the routing rule Banyan Passwordless Routing, then set it so that authentication requests to the Banyan TrustProvider App Integration get forwarded to the Banyan Passwordless IdP you just created in Step 3.6.

CAUTION: Do not select Any application when you set up this Routing Rule. You must only select the Banyan TrustProvider Application Integration that was configured in Okta. Choosing Any application will lock Admins out of Okta.

4.3 Click Create Rule, and then click Activate.

Step 5. In Okta, also create an Application Integration called “Banyan DeviceRegistrationProvider” and assign to “Everyone”

Since the “Banyan TrustProvider” App Integration is being used for Passwordless Authentication, we need to create a completely different App Integration for device registration via the Banyan Desktop or Mobile Apps.

5.1 Create a new App Integration called “Banyan DeviceRegistrationProvider” following the same steps to set up Okta as your Identity Provider.

Step 6. In the Banyan Command Center, Save the “Banyan DeviceRegistrationProvider” Fields

6.1 In the Banyan Command Center, return to Settings > TrustProvider Settings > Identity Provider.

6.2 In the Device Registration Provider Config (optional) section, set Device IDP Protocol to OIDC.

6.3 Configure the remaining fields from the Banyan DeviceRegistrationProvider application in Okta:

  • Issuer URL (from Sign On tab)
  • Client ID (from General tab)
  • Client Secret (from General tab)
  • Redirect URL (Login Redirect URI from General tab)

6.4 Click Update Device Registration Provider Config.

Step 7. In Okta, add a Routing Rule called “Banyan Fallback Routing”

7.1 In Okta, return to Security > Identity Providers > Routing Rules.

7.2 Add a Routing Rule called Banyan Fallback Routing for the Banyan DeviceRegistrationProvider App Integration that uses the default “Okta” identity provider. Now, if a user is sent into the Passwordless flow doesn’t possess a Device Certificate, they will NOT be rejected and instead get sent back into the usual Okta authentication page for their username / password.

CAUTION: Do not select Any application when you set up this Routing Rule. You must only select the Banyan DeviceRegistrationProvider Integration here.

Step 8. In Okta, ensure the order of the Routing Rules

Ensure all your Routing Rules in Okta will apply in the correct order. In general, the more specific the routing rule the higher up it should be placed.

8.1 Ensure the “Banyan Fallback Routing” rule is placed above the “Banyan Passwordless” rule.

Step 9. In Okta, Set a Custom Sign-out Page

By default, when an end user logs out, Okta returns them to the Okta login page. With Passwordless Authentication enabled, end users are automatically logged back in and unable to manually sign out.

To avoid this behavior, set a custom sign-out page in Okta:

9.1 In Okta, navigate to Settings > Customization.

9.2 In the Sign-Out Page settings, click Edit.

9.3 Set the option to Use a custom sign-out page and then enter your preferred sign-out page URL. Then, click Save.

Step 10. (Optional) Update your MFA and SSO Session Duration policies

For added security, Banyan strongly recommends enabling multi-factor authentication (MFA) with Passwordless Authentication.

10.1 In Okta, navigate to Security > Authentication > Sign On and then click Add New Okta Sign-on Policy.

10.2 Enter a policy name, description, and assign to groups, then click Create Policy and Add Rule.

10.3 Configure the rule, as follows:

  • For Rule Name, enter MFA and Session Duration for Passwordless
  • For Identity provider, select Specific IdP > Banyan Passwordless (created in step 2)
  • For Factor Lifetime and Session expires after, set according to your organization’s needs.

While we suggest that MFA to be required at least once per day, you should select an option that matches your organization’s security and user experience goals.

10.4 Click Create Rule.

That’s it! You’ve successfully configured Passwordless Authentication for Okta.



Last modified: Jun 17, 2021