Enable users to log in via your Identity Provider without entering a username/password
- Updated on Mar 23, 2022
- How It Works
- Identity Provider Setup Guides
How It Works
The diagram below provides a conceptual overview of how Banyan’s Passwordless Authentication Flow works.
In the Normal Authentication Flow, Banyan’s TrustProvider component federates to your organization’s Identity Provider (IdP). The user enters their SSO username and password (and Multi-factor Authentication (MFA), if applicable) at your IdP. Once the credentials (and MFA) are verified, the TrustProvider IDToken is issued.
In the Passwordless Authentication Flow, Banyan leverages the fact that the trusted Device Certificate includes the user’s email address in the
UserPrincipalName SAN extension field. To enable Passwordless Authentication, register the Banyan-provided “App Client for Passwordless Authentication” as an External OpenID Connect IDP in your organization’s Identity Provider.
When passwordless is enabled, the device certificate that is presented during device trust will be used to extract the user who is attempting to authenticate. The identified user will be issued a TrustToken without requiring username and password. Instead, they only need to perform an MFA step if configured by the IDP.
Passwordless and Zero Touch Installation
With Banyan App 2.1+, Passwordless is supported for devices registered via Zero Touch Installation.
Devices registered via Zero Touch installation can be registered to either a specific user or the default “Staged User”. When a device is registered to the default “Staged User”, the issued device certificate will not have the
UserPrincipalName SAN extension field set. For Passwordless to work, Banyan will silently swap the certificate with no UPN information to a certificate with the user’s UPN during the first authentication flow. From then on, the Banyan Passwordless flow will be enabled.