Integration with CyberArk Idaptive Identity

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's CyberArk Idaptive Identity portal. This integration will allow your users to log in to the CyberArk Idaptive Identity application’s account leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

1. Admin access to the following:
   • BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
   • A CyberArk Idaptive Identity instance V21.6.124 or higher.
2. Install on your mobile device:
   • BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.

Assumptions

1. With the above prerequisites, you should now successfully be registered and be able to login to:
   • Your organization's CyberArk Idaptive Identity Admin Portal instance with access to the administrative console.
   • BlockID Admin Console application. Ensure the email address used to log in to this application is the same as the one used to log in to the Idaptive account.
2. Installed and registered the BlockID mobile application.
   • Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk Idaptive Identity.
2. Configure CyberArk Idaptive Identity as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within CyberArk Idaptive Identity
   • Configure the Idaptive Identity portal application
2. Configure CyberArk Idaptive Identity as a Service Provider (SP) within your BlockID Tenant
   • Set IDP Assertion Claim details
   • Add Idaptive application as a Service Provider
3. Test the SAML Single Sign-On Connection

Configure your BlockID Tenant as an Identity Provider (IDP) within Idaptive

tip

Steps mentioned in the guide are given as per the workflow provided in the CyberArk Idaptive Identity V21.6.124.

The following steps will be performed by your Idaptive Identity portal administrator. Get your tenant's XML metadata file and SSL certificate from your 1Kosmos representative to configure 1Kosmos as an Identity Provider for your company's Idaptive Identity portal application account.

Configure the Idaptive Identity portal application

1. Login to the Idaptive Identity Portal.
2. From the left pane, navigate to Settings > Users.
3. In the Sources section, click Partner Management, and click Add. The Partner Management screen is displayed.
4. In the Partner Management screen, enter details for the following fields:

• Partner Name: Enter the name of your identity provider. For example, BlockID.
• From the Federated Domains section, click Add.
• Enter your domain that users will be redirected to BlockID for authentication and click Add.
• From the left pane, click Inbound Metadata. The Inbound Metadata settings are displayed.

• In the Option 1: Upload IDP configuration from URL, enter the BlockID metadata URL of your community. For example, https://<tenant>.1kosmos.net/<community>/metadata.
• From the left pane, click Outbound Metadata. The Outbound Metadata settings are displayed.
• Click Option 2: Download Service Provider Metadata.
• Click Download Metadata.
• Click Save.

Configure Idaptive application as a Service Provider (SP) within your BlockID Tenant

Set IDP Assertion Claim details

Perform the below-mentioned steps:

1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.

• Map the nameIdentifier to email.
• Click Save.

tip

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add Idaptive application as a Service Provider

1. In the SAMLv2 screen, click Service Providers.

2. In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the Idaptive option.

3. In the Onboard Idaptive as a SAMLv2 Service Provider window, enter details for the following fields:

tip

In case, if your client does not share their Idaptive's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their Idaptive application.

• Application Label: Enter the appropriate name for your organization’s Idaptive application as a service provider.
• Entity ID: Enter the unique entityId URL specified in your single-sign on settings in the Idaptive application.
• Login URL: Enter the login URL specified in your single-sign on settings in the Idaptive application.
• Click Onboard Idaptive.

4. Click on the newly added Idaptive as a service provider link.

5. In the Edit screen:

• In the SP Core Configuration tab: Check the following details are selected:
• Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
• NameID Value: nameidentifier.
• In the SP Assertion Claims Mapping tab:
• Select the checkbox for the following options:
• nameIdentifier
• Override
• In the Custom Claim Value text box, enter UserPrincipalName
• In the SP Service URL End Points tab:
• Select POST.
• Ensure CyberArk Idaptive Identity portal login URL is added.
• Click Confirm and Save.

Test the SAML Single Sign-On Connection

1. In your browser, enter your organization’s CyberArk Idaptive Identity portal login URL.
2. Enter an email address that has the appropriate “Federated Domain” as entered earlier.
3. Click Next.

4. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
5. On the BlockID mobile application’s Home screen, click ‘Scan QR’.
6. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
7. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
8. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.
9. You will be logged in to your CyberArk Idaptive Identity portal application.