Secure Access CLI is a command-line interface designed to automate the setup of a Secure Access Tenant with Single Sign-On (SSO) capabilities. This guide will walk you through the installation process, how to configure your environment, and detailed usage instructions for each available command.
- Installation
- Configuration
- Usage
- Commands
- create-tenant
- provision-existing-tenant
- create-scim-app-in-beyond-identity
- create-scim-app-in-okta
- create-external-sso-connection-in-beyond-identity
- create-custom-attribute-in-okta
- create-identity-provider-in-okta
- create-routing-rule-in-okta
- send-enrollment-email
- fast-migrate
- delete-all-sso-configs-in-beyond-identity
- get-token
- review-unenrolled
- Commands
If you don't have Rust installed, you need to install it first. Follow these steps to install Rust:
-
Download Rustup: Rustup is an installer for the Rust programming language.
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
-
Follow the On-Screen Instructions: The installer will guide you through the installation process. Once installed, you can configure your current shell session to use Rust by running:
source $HOME/.cargo/env
-
Verify Installation: To ensure Rust is installed correctly, you can run:
rustc --version
Clone the project repository to your local machine:
git clone [email protected]:gobeyondidentity/secure-access-cli.git
cd secure-access-cli
Build the project using Cargo (Rust's package manager):
cargo build --releaseSecure Access CLI uses environment variables for configuration. Create a .env file in the root of the project directory and populate it with the necessary variables. Here is an example of the required variables:
OKTA_API_KEY="<OKTA_API_KEY_READ+WRITE>"
OKTA_DOMAIN="<YOUR_OKTA_DOMAIN>"
OKTA_REGISTRATION_SYNC_ATTRIBUTE="byndidRegistered" # You can update this to be any non-conflicting value if you need to
BEYOND_IDENTITY_API_BASE_URL="https://api-<eu|us>.beyondidentity.<run|xyz|com>"
BEYOND_IDENTITY_AUTH_BASE_URL="https://auth-<eu|us>.beyondidentity.<run|xyz|com>"
ADMIN_DISPLAY_NAME="<YOUR_NAME>"
ADMIN_PRIMARY_EMAIL_ADDRESS="<YOUR_EMAIL_ADDRESS>"Make sure to replace the placeholders with your actual configuration values.
To run the CLI tool, use the following syntax:
./target/release/secure-access-cli [OPTIONS] <COMMAND>Creates a new Secure Access tenant. This command is required for all the remaining commands to work as it provides the base configuration. The first time you run this command, it will ask you to open a browser with a magic link to complete the provisioning process. Subsequent runs will show you the existing tenant configuration.
./target/release/secure-access-cli create-tenantProvisions configuration for an existing tenant provided a tenant id, realm id, and API token are supplied.
./target/release/secure-access-cli create-tenantCreates an application in Beyond Identity that enables you to perform inbound SCIM from an external identity provider.
./target/release/secure-access-cli create-scim-app-in-beyond-identityCreates a SCIM app in Okta that is connected to the SCIM app created in the previous step. Note that this command will generate the app and assign all groups to the SCIM app. However, there is a manual step you have to complete on your own which unfortunately cannot be automated. When you run this command the first time, we'll provide you with a SCIM base URL and API token that you'll need to copy into the SCIM app in Okta. You will also have to enable provisioning of identities manually in Okta. The good news is that both of these steps are very easy to do. You can find the exact steps to follow here.
./target/release/secure-access-cli create-scim-app-in-oktaCreates an OIDC application in Beyond Identity that Okta will use to enable Okta identities to authenticate using Beyond Identity.
./target/release/secure-access-cli create-external-sso-connection-in-beyond-identityCreates a custom attribute in Okta on the default user type that will be used to create an IDP routing rule in Okta. This is a boolean value that gets set to "true" whenever a passkey is bound for a specific user.
./target/release/secure-access-cli create-custom-attribute-in-oktaTakes the external SSO connection you created in Beyond Identity and uses it to configure an identity provider in Okta. This is the identity provider that will be used to authenticate Okta users using Beyond Identity.
./target/release/secure-access-cli create-identity-provider-in-oktaThe final step when setting up Beyond Identity as an MFA in Okta. This will use the custom attribute you created using an earlier command to route users who have provisioned a Beyond Identity passkey to Beyond Identity during authentication.
./target/release/secure-access-cli create-routing-rule-in-oktaHelps you send enrollment emails to one or more (or all) users in Beyond Identity.
./target/release/secure-access-cli send-enrollment-emailAutomatically populates Beyond Identities SSO with all of your Okta applications. Additionally, it will automatically assign all of your Beyond Identity users to the correct application based on assignments in Okta. Note that each tile you see in Beyond Identity will be an opaque redirect to Okta.
./target/release/secure-access-cli fast-migrateClears out your Beyond Identity SSO apps in case you want to run fast migrate from scratch.
./target/release/secure-access-cli delete-all-sso-configs-in-beyond-identityGet a bearer token for curl use.
./target/release/secure-access-cli get-tokenReview which identities have not completed the enrollment process. En enrolled identitie is defined as having a passkey for the given tenant/realm configuration.
./target/release/secure-access-cli review-unenrolled-l, --log-level <LOG_LEVEL>: Set the log level (error, warn, info, debug, trace).-h, --help: Print help information.