Ivanti Neurons currently offer the option of selecting Okta as the external authentication provider for your tenant. This is a good choice if you want to centralize the end user log on experience, reduce the occurrence of password related calls to the help desk, and have granular controls over policies and audit trails.
Configure & Enable External Authentication
- In Ivanti Neurons Platform navigate to Admin > Authentication.
- On the Authentication page, in the External Authentication (SSO) section, click Configure & Enable.
- On the Enable External Authentication (SSO) page, from the Provider drop-down list select Okta.
The Okta Configuration Settings will now display.
Before you can continue with the Ivanti Neurons configuration you must first carry out some steps in Okta.
Before you can continue with the Ivanti Neurons configuration you must first carry out the following steps in Okta.
Step 1 - Create your Okta application
- Login to Okta.
- In the sidebar menu select Applications > Applications.
- In the Applications dashboard, select Create App Integration. The Create a new app integration page displays.
- Select the Sign-in method OIDC - OpenID Connect.
- Select the Application type Web Application.
- Click Next. The New Web App Integration page displays.
- Give the application a name in App integration name.
- For the grant type select Implicit (hybrid).
- Enter the Sign-in redirect URI, as displayed in the Ivanti Neurons Platform Okta Configuration Settings.
- Enter the Sign-out redirect URI as displayed in the Ivanti Neurons Platform Okta Configuration Settings.
- In Assignments select the level of control you want over access.
- Select Save. The application is created.
- A Client ID and Client Secret are generated and displayed.
You need to record the Domain, Client ID and Client Secret ready to use in the next step of the setup in the Ivanti Neurons Platform.
Okta setup is now complete and you can return to Ivanti Neurons Platform.
Once you have created the Okta application you can continue with the Ivanti Neurons Platform configuration.
Return to the Okta Configuration Settings page (Ivanti Neurons Platform > Authentication > External Authentication (SSO) > Configure and Enable.
- Enter the Okta Domain from the user profile drop-down in the top-right of the Okta app integration.
- Enter the Auth Server ID. Set to default. This will only need changing for a multi-tenant Okta, for this situation, enter the preferred tenant details.
- Enter the Client ID that was generated and saved from the Okta app integration.
- Enter the Client secret value, that was generated and saved from the Okta app integration.
- Select Continue to display the Validate Connection Settings page.
You need to connect with your Okta credentials to validate your connection settings.
- On the Validate Connection Settings page, click Validate Settings to access your organization's sign-in page via a new tab, enter your Okta credentials and proceed to sign-in. If you are already signed in credentials are not required and the validation takes place automatically, so make sure you are signed in to the account you want to authenticate.
You will receive a confirmation screen if login is successful.
- Return to this tab (Validate Connection Settings).
- Select the check box I confirm I have successfully validated my connection settings to confirm you have logged in successfully.
- Click Continue to move on to convert Ivanti Neurons Platform accounts. The Enable Ivanti Neurons Platform accounts page displays.
The Okta username must exactly match your Ivanti Neurons username.
- E2018 Authentication failed: User failed to authenticate with Okta. Check the username and password are correct and that the user has permissions on the Okta Application Registration.
- E2020 Unable to link to Neurons Platform user account: The Okta user login, does not match with the Ivanti Neurons Platform user. The Ivanti Neurons Platform user account email address must match the email address used to login into Okta.
Okta is now configured, but it is not enabled.
To enable, you need to convert your Ivanti Neurons Platform accounts to use Okta instead.
- On the Enable Ivanti Neurons Platform accounts page, click Sign Out & Enable the Ivanti Neurons Sign In page displays.
- On the Ivanti Neurons Sign In page, select to Sign In with Okta and enter your Okta credentials, the conversion will then be complete.
All members will receive an email to confirm the account has been converted and that they must access the tenant with Okta credentials going forward. If the member does not have Okta credentials, they will not be able to access Ivanti Neurons.
External Authentication (SSO) will now display with an Enabled status.
Configure Auto Provisioning
Enabling auto provisioning will automatically grant access to Ivanti Neurons for all members within the Okta Application without having to go through the manual invite process. When a new member logs in for the first time, a new Ivanti Neurons Platform account will be provisioned in Ivanti Neurons > Members. All new auto provisioned members will be granted the access control roles defined in the set up.
- In Ivanti Neurons Platform navigate to Setup > Authentication to display the Authentication Method page.
- In the External Authentication (SSO) section, click Actions and select Enable auto provisioning.
- From the Default roles drop-down list, select the access control role that you want to be assigned to all new members.
To setup Roles go to Ivanti Neurons > Admin > Roles.
- Click Enable Auto Provisioning to confirm the role selection and enable auto provisioning for all new members.
Once enabled, the options: Edit the default access control roles, and Disable auto provisioning, become available. Any roles edits, or disabling, of auto provisioning will not affect any existing auto provisioned members, it will only apply to those who are provisioned after the changes have been made.
Important: Once auto-provisioning has been enabled, everyone who has access to the Okta Application will have access to Ivanti Neurons. You can restrict access to certain users or groups from within the Okta Application. Refer to the Okta documentation for further details.
If you want to update the Okta client secret, you need to set a new one to continue using this authentication method.
- In Ivanti Neurons Platform navigate to Setup > Authentication.
Click Actions and select Update client secret.
The Update Client Secret page displays.
- Enter the new client secret from your Okta application.
The Validate Client Secret page displays.
- Click Validate Client Secret, this opens your Okta sign in page.
Enter your username and password, this will be the same as the sign-in credentials for the Ivanti Neurons Platform. When you sign-in the new client secret is validated. If successful, return to this wizard and continue to update the client secret. If it is unsuccessful, go back and check if the new client secret you entered is accurate. For other failure reasons see Okta Authentication
- Once you have successfully validated the new client secret, select the confirmation check box I confirm I have successfully validated my new client secret and click Continue.
- Click Save Changes to complete the process. This updates the client secret with immediate effect, you are not required to do anything further.