Azure AD Authentication
Ivanti Neurons currently offer the option of selecting Azure AD as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.
To use Azure AD all members must accept the request for Ivanti to access their basic Azure profile data.
Configure & Enable External Authentication
- In Ivanti Neurons Platform navigate to Admin > Authentication.
- On the Authentication page, in the External Authentication (SSO) section, click Configure & Enable.
- On the Enable External Authentication (SSO) page, from the Provider drop-down list select Azure AD.
The Azure AD Configuration Settings will now display.
Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Microsoft Azure Portal.
Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in Microsoft Azure Portal.
Step 1 - Create your Azure AD application
- Login to Azure AD Admin Center as Office 365 Administrator.
If the person setting up SSO is not an Azure administrator, then an Azure administrator needs to log in to Azure and approve the Apps request for User-Read\Signin permissions.
- In the sidebar menu click All Services > App Registrations.
- In the App registrations dashboard, click New registration.
- Enter an appropriate name for the application, and accept the default supported account types: Accounts in this organizational directory only.
- Enter the Redirect URI, as displayed in the Neurons Platform Azure AD Configuration Settings.
- Click Register at the bottom of the dialog.
- An application (client) ID is generated and displayed.
You need to record the application (client) ID and Directory (tenant) ID as it is required for the next stage of the setup in Ivanti Neurons.
Step 2 - Configure Authentication Settings
- Select Authentication from the App Registration menu.
- Navigate to Advanced Settings.
- Enter the Logout URL, as displayed in the Neurons Platform Azure AD Configuration Settings.
- Under Implicit grant section, make sure the ID tokens check box is selected.
- Click Save.
Step 3 - Create a Secret
- From within the created App navigate to App Registration > Certificates & Secrets.
- Create New Client Secret.
- Add a description.
- Select the expiry duration in-line with your company standards.
- Click Add.
- A value is created, you must copy it somewhere safe because this is the only time it can be viewed.
Make sure you copy the Secret Value and not the Secret ID.
Azure AD setup is now complete and you can return to Ivanti Neurons Platform.
The Secret lifetime is finite, so your company should take measures to ensure this is replaced prior to expiry to avoid any outages to Ivanti Neurons. Learn how to Update Client Secret.
Set up token configuration so you can use auto provisioning.
- Select Token Configuration from the App Registration menu.
- Select Add Optional Claim to open the side panel.
- For the Token type, select ID.
- From the Claims list, select email, family_name and given_name. This allows the email, last name, and first name, to be obtained for new Ivanti Neurons members, which is a requirement when using auto provisioning.
- Click Add.
Once you have created the Azure AD application (client), directory (tenant), and secret, you can continue with the Ivanti Neurons Platform configuration.
Return to the Azure AD Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.
- Enter the Directory (Tenant) ID from Azure AD app registration.
- Enter the Application (Client) ID from Azure AD app registration.
- Enter the Client secret value that was generated and saved.
- Enter the Client secret expiry date, this should match the expiry date specified when creating the client secret. See Update Client Secret for further details.
- Click Continue to display the Validate Connection Settings page.
You need to connect with your Azure AD credentials to validate your connection settings.
- On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your Azure AD credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
You will receive a confirmation screen if login is successful.
- Return to this tab (Validate Connection Settings).
- Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
- Click Continue to move on to convert Ivanti Neurons Platform accounts. The Enable Ivanti Neurons Platform accounts page displays.
The Azure username must exactly match your Ivanti Neurons username.
- E2018 Authentication failed: User failed to authenticate with Azure AD. Check the username and password are correct and that the user has permissions on the Azure AD Application Registration.
- E2019 Missing optional claims: Validation step failed because the additional optional claims were not present in the token returned to Neurons Platform from Azure AD.
- E2020 Unable to link to Neurons Platform user account: The Azure AD user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Azure AD.
Azure AD is now configured, but it is not enabled.
To enable, you need to convert your Ivanti Neurons Platform accounts to use Azure AD instead.
- On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable the Ivanti Neurons Sign In page displays.
- On the Ivanti Neurons Sign In page, select to Sign In with Azure AD and enter your Azure AD credentials, the conversion will then be complete.
All members will receive an email to confirm the account has been converted and that they must access the tenant with Azure AD credentials going forward. If the member does not have AD credentials, they will not be able to access Ivanti Neurons.
External Authentication (SSO) will now display with an Enabled status.
Configure Auto Provisioning
Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Azure AD App Registration without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.
- In Ivanti Neurons Platform navigate to Setup > Authentication to display the Authentication Method page.
- In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
- From the Default roles drop-down list, select the access control role that you want to be assigned to all new members.
To setup Roles go to Ivanti Neurons > Admin > Roles.
- Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.
Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.
You must configure the Optional Claims from Step 4 - Token Configuration for auto provisioning to work.
Important: Once auto-provisioning has been enabled, everyone who has access to the Azure App Registration will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the Azure AD Portal. Refer to the Microsoft Azure documentation for further details.
If the Azure AD client secret is due to expire, you need to set a new one to continue using this authentication method.
- In Ivanti Neurons Platform navigate to Setup > Authentication.
Click Actions and select Update client secret.
The Update Client Secret page displays.
- Enter the new client secret from your Azure AD application.
Enter the date to receive a reminder of when the client secret is due to expire.
A reminder banner will display in the UI and an email reminder will be sent to users with the Admin role, 28 days before expiry. Further reminder emails will be sent 7 days before and a day before expiry.
If the client secret is allowed to expire and a new one is not set, access to the service will be interrupted and you will need to contact Ivanti Support to regain access.
The Validate Client Secret page displays.
- Click Validate Client Secret, this opens your Azure AD sign in page.
Enter your username and password, this will be the same as the sign-in credentials for the Ivanti Neurons Platform. When you sign-in the new client secret is validated. If successful, return to this wizard and continue to update the client secret. If it is unsuccessful, go back and check if the new client secret you entered is accurate. For other failure reasons see Validation Troubleshooting
- Once you have successfully validated the new client secret, select the confirmation check box I confirm I have successfully validated my new client secret and click Continue.
- Click Save Changes to complete the process. This updates the client secret and the expiry reminder with immediate effect, you are not required to do anything further.