Overview
Nametag provides verified identity authentication using secure, government-issued ID verification. It enables organizations to verify users’ real-world identities quickly and safely, reducing fraud and improving risk while increasing trust in identity assertions.
This integration allows organizations to:
Synchronize users from Beyond Identity Directory into a Nametag tenant, and
Use Nametag as a delegate OIDC Identity Provider (IDP) during enrollment flows that are authorized through another IDP.
Once configured, users authenticating through your primary IDP can be additionally verified by Nametag during enrollment.
This configuration is managed primarily within:
Nametag Console, and
Beyond Identity Admin Console.
Prerequisites
Before proceeding, ensure you have:
Administrative access to the Nametag Console
Administrative access to the Beyond Identity Admin Console
A working Beyond Identity tenant with Directory enabled
A working Nametag tenant
Recommended: Create a separate Nametag test environment before configuring in production.
Part 1 — Directory Synchronization
(Sync users from Beyond Identity into Nametag)
Step 1 — Select the correct Nametag environment
In Nametag Console:
Confirm you are in the correct Nametag environment (Test or Production).
If needed, create a new environment for testing.
Step 2 — Create a Beyond Identity Directory in Nametag
In Nametag Console:
Navigate and click Configure.
2. Click Directories from the left-hand navigation.
3. Then, click Add a directory.
4. Then, select Beyond Identity from the list.
Stay on this page, you will need values from Beyond Identity in the next steps.
Step 3 — Create Outbound Provisioning in Beyond Identity
In Beyond Identity Admin Console:
Click Integrations.
Select the Outbound Provisioning tab.
Select Nametag and click the install icon.
Step 4 — Map Beyond Identity values into Nametag
You will now transfer values from Beyond Identity into Nametag.
From the Beyond Identity Nametag application you just created, copy the following values and enter them into the Nametag Console directory configuration:
| Field | Description |
|---|---|
| Base URL | API base URL for Beyond Identity |
| Tenant ID | Your Beyond Identity tenant ID |
| Realm ID | Your Beyond Identity realm ID |
| Application ID | Beyond Identity application ID in Nametag |
| Client ID | OAuth Client ID issued by Beyond Identity |
| Client Secret | OAuth Client Secret issued by Beyond Identity |
2. When you are done, click Save Changes.
Step 5 — Connect and validate sync
In Nametag Console:
Click Connect to Beyond Identity.
Confirm that identities from Beyond Identity are successfully synchronized into Nametag.
Step 6 — Record the Nametag Directory Client ID
In Nametag Console:
Copy and save the Client ID associated with this directory.
You will need this in Part 2.
Part 2 — Configure Nametag as a Delegate IDP in Beyond Identity
This section enables Nametag to act as an OIDC identity provider within your existing IDP enrollment flow.
Step 1 — Add Generic OIDC Provider in Beyond Identity
In Beyond Identity Admin Console:
Click Identity Providers from the left-hand navigation, then click Add Identity Provider.
2. In the dialog window, enter the following values:
| Field | Value |
|---|---|
| Display Name | Nametag |
| Client ID | (Use the Client ID from Part 1, Step 6 — this is your Nametag Directory Client ID, not a new one) |
| Client Secret | Create a new API key in Nametag (see Step 2a below) |
| Token Scopes | openid |
| PKCE | Disabled |
| Token URL | https://nametag.co/oauth2/token |
| Token Endpoint Auth Method | client_secret_basic |
| Authorization URL | https://nametag.co/oauth2/authorize |
| JWKS URL | https://nametag.co/.well-known/jwks |
| Identifying Attribute | id |
| Identifying Claim Name | account.immutable_external_id |
| Requested Claims | {"id_token":{"account":null}} |
| OAuth 2PAR | Enabled |
| PAR Endpoint | https://nametag.co/oauth2/par |
Step 3 — Generate Client Secret in Nametag
In Nametag Console:
Navigate to OAuth → Create new API Key
Generate a new secret
Copy only the secret (do not reuse the Client ID here)
Return to Beyond Identity and paste this into Client Secret.
Step 4 — Save Configuration
In Beyond Identity Admin Console:
Paste the Client Secret from the previous section.
Click Save Changes.
Step 5 — Register Redirect URI in Nametag
In Beyond Identity Admin Console:
Copy the Redirect URI generated for this OIDC instance.
Then, in the Nametag Console:
Go to OAuth settings
Add this value as an Authorized Callback URL
Final State — What you now have
After completing these steps:
Users from Beyond Identity are synchronized into Nametag.
Nametag is registered as a delegate OIDC IDP.
You can now create enrollments that require Nametag verification during IDP authorization.
You are now ready to use Nametag as part of your identity proofing workflow.
Comments
0 comments
Article is closed for comments.